By now it's clear most corporate people understand that the security posture of business partners and third parties has become a top priority.
After all, nobody wants to experience another Target breach, where an HVAC vendor was exposed, causing vulnerabilities in the main POS system. Companies have worked hard the past few years making sure that doesn't happen to them.
Yet, still it does.
Just this year, it happened in the US Tallahassee area where the records of 50,000 teachers, parents, students and staff members were compromised in two separate incidents involving a third-party educations services provider. And last month, the Sacramento Bee in California deleted two databases hosted by a third party after a ransomware attack exposed the voter records of 19.5 million California voters and 53,000 current and former subscribers to the newspaper.
So given that it happens again and again, here's a checklist to go over before signing on with a third party. Basically, you have to throw the kitchen sink at them when it comes to security. The consequences of a breach are just too great, both in financial damage and reputational loss. Here's where to start:
1. Adhere to a consistent security approach. The major banks such as JP Morgan Chase, Bank of America, Wells Fargo and American Express have banded together to create a new company, TruSight. The new company aims to provide a consistent assessment of potential third-party vendors before they are hired. This will be done by using a common questionnaire that all vendors must fill out. The vendors must also agree to frequent on-site reviews to verify their claims. All third parties must agree to filling out similar paperwork and monthly, quarterly and semi-annual site visits.
2. Focus on mobile security. Verizon's 2018 Mobile Security Index found that 32 percent of respondents admitted to sacrificing mobile security to improve expediency or business performance. Another 38 percent said their organisations were at significant risk from mobile threats. Suppliers and other third parties must demonstrate that they have a team that can focus on mobile threats.
3. Develop open lines of communication. Third parties must immediately be in touch with the customer in the event of a breach. There have to be technologies and processes in place to warn large companies of any exposure.
4. Stay on top of technology trends. New security products and upgrades come out every day. Third parties must demonstrate they have people in place who make keeping up with the latest technologies an important part of their jobs.
5. Hire companies that have staff with security and intelligence backgrounds. Most security professionals have learned on the job. Many have enterprise networking backgrounds. Look for third party companies that have people on board with certificates like a CISSP, but also check to see if they have military, intelligence or law enforcement backgrounds, government agencies are some of the best IT trainers around.
6. Find out if the third party complies with ISO 27001 standards. Global security standards such as ISO 27001 will ensure that the third party can effectively manage financial information, intellectual property and employee details.
7. Check to see if they have a GDPR plan. Especially if they are handling data across your European operations, it's critical they have a GDPR strategy well under way. Even if they won't be working in Europe, the privacy standards outlined in GDPR are rapidly becoming an important standard globally.
8. Be sure the third party understands phishing and social engineering scams. More and more, phishing and social media scams stem from third party companies. Suppliers and business partners have to demonstrate they understand the threat and have trained their staffs and, in many cases, – your staff – to be sensitive to these ongoing threats.
9. Hire companies where the CISO has visibility to top management. When you conduct your interview, find out how the CISO fits into the rest of the organisation. Do they have the ear of the third party's CEO or CFO or are they several levels down in the hierarchy? If something happens, you'll want them to have the ear of their own management as well as a channel to the top people in your organisation.
10. Check for adherence to other standards such as NIST's FIPS 140-2. This standard is the NIST standard for deploying cryptographic modules that have both hardware and software components. It was developed primarily for US Defence Department agencies but has also been adopted throughout the US government and by most private companies.
11. Inspect the SOC. Security operations centers are under a great deal of scrutiny today. Find out if there's ample coordination between the networking and security teams. Also find out to what extent they use automated tools to handle security incidents.
12. Ask about threat hunting. While threat hunters are very expensive, sometimes well in excess of US$ 200,000 (£139,727) annually, it's becoming an important capability. Find out if the supplier or business partner has hired a threat hunter or has plans to in the next six to 12 months.
13. Get them to explain how they do incident response. Does the company have a clear incident response plan where the responsibilities of the different IT players are spelled out and it's clear your IT people will be in the loop?
14. Check their identity management plan. The vast majority of breaches are caused by lost or stolen credentials. You are well within your rights to ask about how the third party handles identities. See if they are moving beyond passwords into passphrases, or if they use other forms of authentication, such as one-time pin numbers or have pioneered the use of biometrics and facial recognition.
15. Do they have a data privacy culture? Ask about how they handle data? Do all their people understand the importance of social security numbers? What's their plan for handling sensitive data? What about handling intellectual property if that is part of the contract? Is there a follow-up plan where employees of the third party are educated on data privacy? If they stammer on this one, best to move on to the next company.