Why CISOs must act now to lock down third party risk
Third parties are an ignored risk says Raimund Genes who advises, review your contracts and prioritise your third parties based on risk - for example, what kind of data can they access, for what purpose and in what volume?
Raimund Genes, CTO, Trend Micro
There's nothing that will strike more fear into a CISO than mention of the dreaded 'insider threat'. Part of the reason is because managing risk effectively in this area is a complex and time-consuming task involving close co-operation with adjacent departments like Human Resources. And even then, there's no stopping a determined employee with malicious intent. Well, as events at TalkTalk's outsourcer Wipro recently taught us, there's another layer to this: the ‘malicious insider-third-party-threat'.
It was the UK service provider who was caught out this time, when a security audit discovered three Wipro employees had been stealing customer information and defrauding those customers. But because there's such poor visibility into third party security, this could be just the tip of the iceberg.
Insiders and outsiders
We've been discussing the insider threat and how to combat it for years. But how many CISOs mandate the same controls for minimising risk inside their third party outsourcers? Too many still rely on contracts which may have been drawn up by predecessors, or at least not reviewed for months or years – and trust in the ‘relationship' they have with their providers that nothing will go wrong. A more rigorous and systematic approach is essential.
Why? Partly because employees working for your outsourcing providers don't have those same emotional or cultural ties with the company which could make them think twice about stealing sensitive data. Another risk is that malicious outsiders use third party providers as a way to infiltrate your company – a classic “island hopping” technique we're perhaps more familiar with when talking about malware. The idea is to find a company's soft underbelly. Just as US retailer Target was hacked not directly but via third party contractors whose level of security was far inferior, so outsiders could bribe employees at outsourcing companies, or even get their own staff hired. If that provider's staff vetting and security controls are too strong, they can move on and find one whose isn't.
The buck stops here
So how do you lock down third party risk? As with all security, there's no silver bullet. But it should start with IT leaders sitting down with their counterparts in procurement and legal to make sure they select the right outsourcing provider in the first place. We'd also recommend reviewing any contracts once a year unless there are any major changes such as M&A activity among suppliers.
As for existing contracts, it's important to prioritise your third parties based on risk – for example, what kind of data can they access, for what purpose and in what volume? Then evaluate their security posture. What technologies and policies are in place? Of course, the insider threat can never be fully neutered by technology, but you can certainly lower your risk.
Look at how your providers vet and treat their staff. Is there a good company culture? Are staff regularly reminded of the importance of data security and the repercussions of mishandling or stealing sensitive information? Do they receive good pay and conditions? Or are there factors which may make data theft more likely? Things you might want to mandate include staff behaviour and performance monitoring. By drawing up a baseline of ‘normal' behaviour – for example, accessing and amending 100 customer records per day – managers can more easily spot the anomalies which could signal a breach.
The truth is the buck stops with you. No-one will remember the name of the third party outsourcing firm whose employees ran off with your customers' data. And with the coming EU General Data Protection Regulation (EU GDPR) there'll be even more pressure on you to manage that risk effectively. Not doing so could mean a fine of up to four percent of annual turnover. So make sure your contracts set out very clearly what you expect your providers to do to minimise the risk of an insider breach. And most importantly, communicate clearly to them what will happen if they fail to take such steps.
Without mandatory breach notification – another positive change we can soon expect from the EU GDPR – we don't know the scale of the insider threat. In fact, it's likely that third party providers may not even know themselves, or else are complicit in keeping things quiet. But as the regulatory landscape matures there'll be no place to hide. So start as you mean to go on and make reviewing your supplier relationships a priority.
Contributed by Raimund Genes, CTO, Trend Micro