What is a Third-Party breach?
A Third-Party breach is where attackers compromise your network or systems via one of your partners, suppliers, or vendors. Attackers commonly take advantage of the trust imparted upon Third-Parties since they often have some means of logical network or system access, yet may not apply due diligence in protecting access mechanisms. For example, one of the most infamous breaches took place at Target in 2013 when the initial attack vector was a Third-Party HVAC company. The attackers gained a foothold with the limited access they were authorized to have, then tunneled their way into more critical systems through various attack methods.
What key indicators actually matter?
Even though security questionnaires are a best practice, they don't take an organization’s unique needs into consideration, causing them to be the bane of many security professionals. One-size-does-not-fit all in the security world and when looking at what really matters, shouldn't context be taken into consideration? Doesn’t it make sense to determine which vendors need to be assessed every year versus those that need to be inspected less frequently? The cadence should be influenced by what data they can access or care for. A huge prerequisite is to gain a clear understanding of the data a vendor has access to/ can impact through meticulous mapping of data flows, business processes, and system architectures. Also, the actual questions themselves should be tailored to the actual nature of the business relationship and the nature of the data that is shared/handled.
Factors to consider:
Depending on the nature of the relationship with the Third-Party provider, it is best to take a pragmatic view to measure risk. The riskier the associated relationship with the Third-Party provider, the more questions should be asked.
Other questions you might want to ask include:
How does this impact my organization?
Developing a set of quality questions over an abundance of ambiguous questions will provide you with a more accurate picture of the risk associated with your Third-Party relationships. Whether you’re asking a Third-Party to fill out a risk assessment or if you are actually the Third-Party, a higher quality and focused assessment could be a game changer. While it usually is a good thing for businesses to work with more partners (i.e. to be connected to them), there is also an inherent risk associated with that connectivity.
No one will argue that it is essential to practice due diligence to ensure that reasonable security measures are followed, but at the same time you don’t want to waste resources reviewing questionnaire responses that don’t align with the business relationship. Your Third-Party questionnaires should be right-sized for that particular relationship. Another aspect to think about is whether or not you have the resources to even consider going through the process to work with a big organization.
At Online we’ve worked with many clients to help them both answer these questionnaires (we too have felt the pain of responding to poorly scoped questionnaires) and develop Third-Party assessment programs. Companies are now expected to exercise proper due diligence in vetting their would-be partners, not only during the pre-dating phase, but periodically to ensure that both the nature of the business relationship doesn’t require a review of additional controls and to ensure that the Third-Party has continued to maintain adequate security posture.
Have you had to fill out one of these questionnaires? Is there anything you like/would change about them? Tell us about your experience in the comments below.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.