Editor's note: This article is part of Behind the Firewall, a recurring column for cybersecurity executives to digest, discuss and debate. Next up: What's the most important component of your incident response plan? Email us here.
Between SolarWinds, Microsoft Exchange, Kaseya and a number of other supply chain attacks, businesses are lucky if a third-party compromise has not breached their systems.
Malicious actors target vendors to maximize damage. Malware, ransomware or other infections spread through vendors and trickle into the networks of businesses buying the services, too.
It poses a challenge for security leadership: How can the business defend against the risk associated with vendors while still accessing their services?
In the wake of high-profile vendor attacks, Cybersecurity Dive asked security executives how they screen third parties to keep their networks secure.
(The comments below have been lightly edited for length and clarity.)
David McLeod, VP and CISO at Cox Enterprises
"Audits are always so limited that their value is questionable."
David McLeod
VP and CISO at Cox Enterprises
Our companies use a range of assessment questionnaires upfront and follow-up inquiries for our most critical/high-risk suppliers. The ideal outcome is a clear certification like ISO or CSF. There is typically only mild evidence of a formal program of controls and maturity practices.
There are still opportunities to expand from a risk-based approach to a comprehensive approach, whereby all connected suppliers are treated the same and exposure is assessed as either a risk to operations, financials, or regulatory compliance. Of course, a single incident or poor handling of any of these exposures would lead to a reputation risk, which is incredibly hard to gauge until the damage is done.
Audits are always so limited that their value is questionable. However, the threat of outside audit does drive compliance in some organizations and business arrangements.
Paige Adams, global CISO at Zurich Insurance Group
"With the uptick in supply chain attacks and the continued proliferation of ransomware, we feel that it is necessary and critical to continually assess and manage our complete attack surface."
Paige Adams
Global CISO at Zurich Insurance Group
Early and often. We use an evolving set of solutions/processes that provide us with a level of comfort that the vendor is taking appropriate steps to protect any and all information that we may share with them, in line with our Zurich Data Commitment.
This begins with assessing the vendor's overall security posture and how it aligns to our internal control structure as well as with industry best practices. An ISO or SOC certification is a "nice to have," but those only show how secure the vendor was yesterday and, while you can make informed decisions based off the demonstrated commitment to cyber and information security, you cannot stop there.
At Zurich, our vendor risk management team works closely with our cyber threat intelligence team to proactively connect with vendors on emerging threats and or compromises.
With the uptick in supply chain attacks and the continued proliferation of ransomware, we feel that it is necessary and critical to continually assess and manage our complete attack surface.
Vendors are a key part of our ecosystem; therefore, we proactively partner with them to manage risk and take appropriate steps to lower the likelihood of an incident that can impact Zurich and, most importantly, our customers, who entrust us with their information.
Martin Littmann, CTO and CISO at Kelsey-Seybold Clinic
"Initially we relied on third-party scorecard tools to grade the public facing digital assets of a vendor or business associate."
Martin Littmann
CTO and CISO at Kelsey-Seybold Clinic
The topic of evaluating the cybersecurity of "vendors" is core to HIPAA in terms of Business Associates and Business Associates Agreements. But a piece of paper is not the solution. At the same time, it would be cost prohibitive to do evaluation on a third party that approaches the level of self-evaluation a healthcare entity performs annually.
Initially we relied on third-party scorecard tools to grade the public facing digital assets of a vendor or business associate. We supplement this with an in-person or virtual IT Risk Assessment (ITRA) meeting during which we review responses to our ITRA questionnaire.
We have also expanded this process to request documentation or attestation on the third party. This includes dates of last penetration tests, risk assessments, cyber-risk assessments, and/or certifications (HITRUST, SOC 2, etc.) as well as any executive summaries that can be supplied.
Dave Tyson, president and CSO at Apollo Information Systems
"Beyond cybersecurity controls, vendors should be able to answer questions about their ability to support your compliance requirements, response protocols and capabilities, and disaster recovery capabilities among other factors."
Dave Tyson
President and CSO at Apollo Information Systems
A high-quality vendor security program (VSP) needs to be light-touch where possible, effective at identifying risk issues quickly, and provide clear direction when action must be taken.
We initially vet all new contracts with outside vendors with a basic question: Does this contract touch our IT environment or sensitive data in any way? If the answer is no, we move forward. If the answer is yes, we then review a number of factors that include the kind of data or network access that will be needed, the justification for adding a new vendor (the fewer the vendors, the less potential for new risk), who will have access to the controls, and detailed technical questions specialized to each vendor.
Beyond cybersecurity controls, vendors should be able to answer questions about their ability to support your compliance requirements, response protocols and capabilities, and disaster recovery capabilities among other factors.
If the vendor will have access to highly sensitive information, such as R&D intel, it may require an on-site physical/cyber assessment to confirm security protections such as shredding practices and freelancer security conditions.
It's important to remember a VSP alone will not solve all your issues. In the infamous Target hack, attackers came through a compromised HVAC provider's access account that should have never had access in the first place. In Target's case, they should limited the vendors' access to only where they needed to go to fully complete the job, referred to as "least privileged" access.
Steve Tcherchian, chief product officer and CISO of XYPRO Technology
"If you can't validate that your vendors take security as seriously as you do, continue looking."
Steve Tcherchian
CPO, CISO of XYPRO Technology
At a minimum, your vendors should be in lock step with the same security standard and controls you have in place for your own organization. They are an extension of your company and represent you.
Therefore, vetting the security of your vendors is critical.
Be ready with a standard security questionnaire/assessment that is similar to your company's security program. Make that part of due diligence of onboarding any new vendor. Just like you would do your due diligence in any other business transaction, security must be considered part of any vendor onboarding.
Unfortunately, it's too often an afterthought because it gets in the way of doing business. It can't be treated this way because vendors are most targeted, and if something happens to them, it happens to you, as risk can no longer be deflected to third-parties without consequence.
If you can't validate that your vendors take security as seriously as you do, continue looking.
Om Moolchandani, co-founder, CISO, and CTO at Accurics
"CISO organizations have been conducting vendor risk assessments for ages, but what has changed now is the vendor attack route is heavily being used by attackers to gain access to their clients. A large client using a mid-size vendor is an ideal situation for attackers."
Om Moolchandani
Co-founder, CIO and CTO at Accurics
Recent cyberattacks reported have shown that adversary groups have adopted a new strategy of launching low cost, high impact attacks using supply chains associated with vendors to reach their final targets and victims.
For organizations, vendor risks are not new. CISO organizations have been conducting vendor risk assessments for ages, but what has changed now is the vendor attack route is heavily being used by attackers to gain access to their clients. A large client using a mid-size vendor is an ideal situation for attackers.
Smaller or mid-size vendors have cost pressures and usually do not invest much in cybersecurity, which is why they can become a weak link in the protection strategy of a large client. This is exactly the reason why attackers want to go after them with low cost but high impact attacks.
As CISO, I have been practicing vendor risk assessment processes for several years now where we primarily focus on assessing vendor cyber risk programs. We use questionnaire-based mechanisms to gather information and evidence for determining a high-level understanding of vendors' risk posture and security framework to determine what security segments the vendor is focusing on like access controls, privacy, data security, network security, security awareness training, detection and protection controls, backup and recovery, personnel training, etc.
Depending on the access that we need to provide to the vendor, occasionally we would also engage in active security assessment of the vendor infrastructure to test if specific security controls are in place or not.
Vendor risk assessments also include financial fraud risk assessment, as well that includes background checks, financial wellbeing and other fraud-related checks. Oftentimes, I have utilized vendor audit reports as well as evidence such as SOC2 reports.
