Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate, dialog on current trends and topics. We hosted this Session featuring a group of CXOs and other IT executives. The group met remotely to discuss the the risk of third-parties and how to protect your network, led by the VP & Information Security Officer for a national dental company. This Session was sponsored by SecZetta.
Virtually every business in the world has to deal with third parties. Whether you want to host something in the cloud or want a collaboration tool for your remote workforce, it’s much more feasible to seek a third-party product or service instead of reinventing the wheel. It will make your organization more agile and also guarantee better performance and availability. But opening your network to external entities also creates tons of new security risks and considerations.
A 2020 report stated that 53% of cyberattacks in the last two years stemmed from third-party integrations. So, how do you gauge the level of risk while signing a contract with a vendor? What security controls must you implement, and what sort of visibility should you have over their activities inside your system?
A senior IT executive shared that there was no third-party risk assessment policy in place when they first arrived at their current company. Any business unit leader had the authority to bring in a new vendor of choice whenever they wanted, without any scrutiny. They had to strive to build a process to identify and mitigate third-party risk, which sometimes even led to better negotiations. They used security as one of the qualifiers for dealing with vendors. In phase 1, they started with an assessment plan called Standard Data Sharing and Safeguard Agreements, which stipulated:
If the vendor scored high for risk based on this initial assessment, they would ask them to fill a more detailed supplier security assessment questionnaire.
A speaker mentioned that to fully assess a vendor for risk, you need to look within their organization. For example, what access will they have to our employees, systems, and data? What activities will they perform within our systems? Can we audit those activities? What level of privileges will they have, and can they be revoked immediately, if required? However, a lot of assessments these days don’t cover these factors.
Another problem with vendor assessment is that companies rely too heavily on reports and certifications like SOC2 and ISO-27001. Just because a vendor has various certifications doesn’t mean that everyone within their organization is compliant and doesn’t warrant a risk assessment.
Lastly, what if a vendor shows up as high risk? What if they are unable to cater for the ten non-conformities within six months, as initially agreed? Do you have the relevant clauses in the contract to break the agreement and part ways? More importantly, do you have the buy-in from the rest of the organization to end a contract with an important supplier?
A participant posited that limiting vendor access by a time period (e.g., 30/60/90 days) can go a long way in ensuring that no external party has indefinite access to internal resources. Moreover, following the principle of least privilege is also important; only grant absolutely necessary rights and privileges, giving none by default. Identify the nature and extent of rights required by different job roles/designations, and grant accordingly.