Who Can Be Third-Party Vendors
Third-party vendors are all entities (usually other companies) that your company does business with in any capacity. Your suppliers, your outside IT support partners, a marketing agency that you employ either on a permanent basis or for one-off projects, an accounting firm you employ, etc.
In the modern business world, often times these third-party vendors gain temporary access to certain parts of your cyber system. For instance, you might allow a marketing agency to gain access to the server where your website is hosted, from where it is possible to access all kinds of other data that pertains to your company and your customers. When we are talking your outside IT partners, they usually have limitless access to the majority of your company data and systems.
Third-party vendor data breaches are extremely common and according to recent research by Soha Systems, almost two-thirds of all cybersecurity breaches can be traced to third-party vendors.
In a great article from Security Scorecard, you can find descriptions of a number of major third-party vendor breaches from 2016. It provides a great overview of the different ways in which attackers use third-party vendors to access data belonging to some of world's largest companies and organizations.
Protecting Your Company
Protecting your company from third-party vendor-related cybersecurity breaches can be done, but it will require quite a bit of work and meticulous planning and executing.
Beefing up from within
For one, you will want to immediately install a multi-layered strategy that will cover every possible access point to your system – from mobile devices, computers to applications, servers and any other imaginable point of entry.
A huge part of this will be a system of at least two-factor authentication for any and all data and network access requests that come from outside of the company. In other words, every request for access needs to be confirmed by at least two factors, preferably three or more.
You should also immediately start educating everyone in your company and provide guidelines for their behavior when third-party requests are in question. This will involve everyone working for your company, from executives to temp workers.
Assessing all vendors
When deciding to do business with certain third-party vendors, you simply have to insist on being able to assess their cybersecurity measures and practices. This is a costly process and you might find out that certain vendors are not too happy about someone inspecting their practices, but if you want to be as safe as possible, you will do it.
It should be pointed out that this is not a one-off thing and that you will want to continue assessing their cybersecurity solutions throughout your relationship, making sure they are constantly updating their security measures and staying in touch with what is happening in the world of cybersecurity.
Once you are satisfied with how this potential new partner handles their cybersecurity, you should ask them to sign a service-level agreement which will prescribe all of their future practices that can in any way pertain to the way they handle your business and your data. This agreement should cover, among other things, information privacy and security, risk analysis, data access and, equally as important, breach reporting requirements (making sure your vendor informs you the moment they suffer a breach).
Open lines of communication
A way to add yet another layer of security to your third-party vendor relationships is to stay in touch with them and their security people. For companies that use intranet, this will be very easy as you will be able to simply include their people in all of your cybersecurity correspondence, making sure they have access to all important guidelines and documents.
You should also ask them to give you regular updates on how they are handling things on their end, whether they are regularly updating their security systems and practices and whether they are noticing any strange things happening.
These open lines of communication will come in particularly handy should they suffer a breach. This way, you will be informed immediately and you will be able to start closing all potential avenues of attack coming from them to your system.
Third-party vendors are an essential part of any corporate cybersecurity ecosystem and you need to remember this at all times. That being said, with some smart practices and extra effort, you can reduce the chances of suffering such a breach dramatically.
Make sure to do it.
Site last updated: 13. February 2020