News & Commentary

10:08 AM
Deena Coffman, IDT911 Consulting
Deena Coffman, IDT911 Consulting

Do You Trust Your Third-Party Vendors?

Banks need to work to build stronger vendor security now.

Evaluating your bank’s third-party vendors is critical to the security of its business and customer data. The bank could experience a data breach through a contractor or supplier—and never find out unless the contract required the vendor to notify you after a security event (or when your information turns up on Pastebin as happened to Twitter.)

Recent reports that breaches at Target Corp. and Yahoo Inc. stemmed from stolen vendor credentials underscore the importance of third-party security reviews to protect information assets.

Deena Coffman
Deena Coffman

The following vendors all have experienced a data breach in the past two years: Adobe, LexisNexis, Dunn & Bradstreet, Kroll Background America a/k/a HireRight, J.P. Morgan, State Farm, Kaiser Permanente and Epsilon. What if one of them was on your vendor list?

[For More On Vendor Security, Check Out: Banks Must Approach Third Party Contracting Differently in Today’s Highly Regulated Environment]

A bank’s future revenues and profitability are jeopardized when confidential business information is exposed through the disclosure of proprietary information or penalties for non-compliance with data breach and privacy regulations. For this reason, it’s important to make sure suppliers and contractors handle business information assets with the expected level of care. Third-party security reviews are widely adopted approach.

However a security review of every vendor isn’t necessary. So where to start?

1. First, look for your company’s most important information assets.

2. Next, determine which suppliers and contractors have access to those systems and/or data. To do this, build an information asset inventory. Then, map the data flow as sensitive information comes into your organization, is copied, processed or transferred, and then finally disposed.

3. Now that you know what you want to protect and where it is exposed, list all vendors with access to the exposure points. Remember to check systems, mobile devices, email, websites, databases, and access to facilities, such as those given to waste removal companies or maintenance services.

4. Once you understand which vendors have access to your information and which information is the most sensitive, rank as your first priority the vendors that have the greatest access to the most sensitive level of information. Request that those suppliers or contractors have a review of their security program as it pertains to the information they handle for you. For example, suppliers with recurring, persistent access to sensitive data would warrant a more in-depth review than a contractor with limited access to a subset of information. A full review would involve the physical, technical and administrative controls the organization has for information security and privacy.

Security is like a chain: It is only as strong as its weakest link. An exposure from a weak process or policy could render a large security technology investment ineffective. Conversely, for those circumstances where limited data exposure exists, a self-assessment and contractual protections may be more appropriate than a full review.

Suppliers can gain an advantage over the competition by establishing and demonstrating a strong security posture. They can perform assessments as part of their compliance programs to proactively show clients they’re mindful of security. And they can provide a report of the assessment, with confidential information removed, of course. Additionally, a strong security posture reduces the time and effort to move from proposal acceptance to contract; the process would take longer for vendors that still need to be vetted for security.

One word of caution, however, when using PCI compliance reports as security vetting tools. PCI pertains only to a set of standards that apply to payment card processing. It may or may not be relevant to the information and systems for which you need to have assurance. Compliance is not the same as security.

Because security standards generally permit risk management and not risk removal, contractual measures may be substituted. For example, if the security review would be greater than the value of the contract or where access or the amount of data is limited, it may be more advantageous to forego a required security review, and instead, specify some or all of the following in the contract:

• Indemnification against third-party claims, especially IP infringement • Limitations on liability • Responsibility during a breach for notification, legal defense and remediation (first- and third-party) • Insurance minimums • Information security requirements (such as mandatory encryption) • Assignment • Service-level agreements that support incident response needs • Incident response testing participation • Insurance o Data breach o Cyber liability

Risk managers may elect to avoid, transfer or accept information security risks rather than mitigate them through controls. In any event, it should be an informed, deliberate decision. Trust but verify because regardless of whether a data breach occurs at your facility or through a third-party supplier, your reputation and your revenue ultimately is at stake.

Deena Coffman is CEO of IDT911 Consulting.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/12/2014 | 5:14:01 PM
re: Do You Trust Your Third-Party Vendors?
I also liked the chain imagery. By mapping their data flow, companies can visualize their 'chain' and more easily identify areas that need stronger security.
The Doctor
The Doctor,
User Rank: Apprentice
2/12/2014 | 2:46:53 PM
re: Do You Trust Your Third-Party Vendors?
Excellent point; compliance is not security. Regarding data security: trust but verify.
The contract with the third party vendor should allow the institution to run unannounced security tests against the vendor's system. Clients must maintain constant vigilance over their third party vendors. Scorecards help create a baseline for the relevant service. The contract is not the end of the process. Continuing communication during the term of the contract is good for both the client and the vendor.
User Rank: Author
2/10/2014 | 2:30:16 PM
re: Do You Trust Your Third-Party Vendors?
Security as a chain is a good illustration. Since the chain is so long in financial services, it is even more imperative for banks to know exactly what security protocols third parties they work with have in place. It's not enough to just be secure yourself.
User Rank: Author
2/10/2014 | 1:41:38 AM
re: Do You Trust Your Third-Party Vendors?
Great analysis, Deena, and I think 2 points here are really critical: 1) that suppliers/vendors can gain competitive advantage by demonstrating secure practices etc., and 2) the point that security is not synonymous with compliance. A company can follow a whole checklist of recommendations/standards, that doesn't mean that it is inpenetrable.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.