Recently, Yahoo announced an information breach of nearly one billion email accounts. Hackers infiltrated Yahoo’s system through ingenious routes such as, traversing multiple networks, and answering users’ security questions to access their accounts. The most astonishing part about this breach is that it occurred in 2013, yet the extent wasn’t made public until recently.
Details are still forthcoming as to what allowed Yahoo’s massive breach, but it raises several questions for you: How do you know if your information is well-protected at all exposure points, including your vendor’s vendors? Have all your outside vendors (i.e., third and fourth parties) been thoroughly vetted, both before your relationship started and as ongoing due care?
The reality of our technological world isn’t if you’ll get breached, but when and what safeguards were implemented in anticipation. The security risks we’re fighting against are a formidable combination of sinister intent, intelligent hackers and well-funded or organized groups.
Here’s a checklist to help protect your information against third-party vendor risks:
Checklist #1: Where is my information?
Ask this question for the entire lifecycle of your information and identify who can or might access it.
Data flows through your system in a variety of ways and can bump up against other systems. A cyber-attack can occur through an unexpected channel that allows access to more sensitive information.
For example, Target’s 2014 breach of nearly 110 million customers’ information occurred when a hacker attacked Target’s HVAC vendor’s system and wormed their way to Target’s private customer data.
Ask these questions regarding the location of your information:
- Do you have an information lifecycle for all your critical data?
- Who are my vendors’ vendors?
- How do vendors and vendors' vendors store, access and process my data?
- Who has access to my critical information within my company and at my vendors’ companies?
Ensure your vendor contracts, including cloud, have language regarding your rights and define the vendors’ obligations to protect the information through its lifecycle.
Checklist #2: How is my information protected?
Details of Yahoo’s most recent breach indicate hackers accessed users’ accounts more than three years ago. Protect against similar attacks by installing adequate monitoring protocols and tools. The frequency and required testing of these protocols depends on the inherent value of your organization’s information and customers.
For example, if your information consists of marketing plans for an upcoming product launch and that information is exposed, your reputation could be adversely damaged. However, if information contains details on an anticipated acquisition or regulated financial data is breached, widespread harm to your brand and reputation could occur in permanent ways.
Continuous monitoring of your outside vendors - even after the contract is signed – is crucial. Establish due care processes to monitor outside vendor’s activities and access to your data. Ensure those processes occur on an annual, monthly or weekly basis depending on the criticality of the data.
Ask these questions to determine how your information is protected:
- What protection, processes, assessments or reviews of established controls are in place across the entire information lifecycle?
- Are you certain all of your critical information is adequately protected, wherever it may reside throughout its lifecycle?
- How often do assessments occur based upon the intrinsic value of your information?
- What types of security controls does a potential vendor (and their vendors) have and how do those controls align with your company’s requirements?
- Are you certain all required data protection controls are implemented at your vendor’s vendors and how can you prove it?
Checklist #3: What to do next?
Conduct due diligence thoroughly on all vendors prior to sharing your information with them. Employ a holistic review of data protection to occur throughout its entire lifecycle.
Investigate and discover all possible points of access to your data, no matter how improbable they may seem. Include contractual language so your vendors are required prove that all required security controls are in place and performing as expected and agreed.
Ask yourself these questions to destroy risks from outside vendors:
- Are all risks from outside vendors checked through the data lifecycle?
- Have you identified all possible points of access to your critical information from outside vendors and their support chain?
- Are your current monitoring and review procedures up to date, effective and viable in this rapidly evolving technological world?
- Do you feel comfortable with your existing vendor security strategy or is there a nagging sense more can be done?
If you answered yes to that last question, contact us for an expert analysis of your risk posture and a comprehensive strategy to combat third-party threats.