How to achieve better third-party security: Let us count the ways

No enterprise is an island. In a connected world, a business cannot function without multiple relationships with third parties -- outside vendors, contractors, affiliates, partners and others.

That can be a very good thing for growing a business. But it can be a very bad thing for security. While the careless insider still tends to be viewed by experts as the weakest link in the security chain, the third-party contractor (with its own group of potentially careless insiders) is now sharing that spot, creating what is somewhat euphemistically called a major "pain point."

Ron Raether and Scot Ganow, attorneys with Faruki Ireland & Cox, noted in a recent white paper for NetDiligence that while firewalls, user credentials and strong passwords remain important, the protection they provide is incomplete.

The exploding number of online access points to companies means, "our walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet (think an employee badge without a picture) to pass through that wall," they wrote, in the paper titled, "Traitors in Our Midst: The risk of employee, contractors and third parties in the age of the Internet of Things and why security in depth remains critical to risk management."

The high-profile breach last December of retailer Target, enabled by an email phishing attack on a heating, air conditioning and refrigeration contractor, is just one example -- an employee of that contractor clicked on a malicious link, leading to the compromise of millions of credit cards.

Paul Trulove, vice president of product management at SailPoint, said similar breaches are, "all too common, especially within the communications and IT sectors. Just last week, AT&T disclosed that the personal information of its mobile customers was compromised by one of its third-party vendors," he said. "The breach allowed employees of a service provider to access customer account information, including dates of birth and Social Security numbers."

It is not a new problem either. MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, wrote nearly a year ago in SearchSecurity that, "almost without exception, a third-party vendor or affiliate is involved," in a successful cyberattack.

There are a variety of reasons for the pain. Jody Westby, CEO, of Global Cyber Risk, said a major one is that too many companies have not focused on security in contracts with third-party associates. "Most companies have barely begun to get their arms around managing security issues associated with arms-length outsourcing IT functions and business processes," she said.

"Companies find they have little bargaining power in requesting security measures from these providers. The third-party market blossomed and seized the opportunity before its customers thought to require security measures as part of the bargain. But the reality is that third-party providers are rich targets," she said.

Another reason is that the access of third parties is not always tracked as well as it is with regular employees. "Based on a relationship's longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust," Ulsch wrote.

Trulove agrees. "They are not salaried employees, so they often bypass HR when entering an organization and are not tracked through any centralized system," he said. "Ironically, a lot of contractors have the same access as a permanent employee -- or even deeper access in cases where an IT function is being outsourced."

A third is that outsiders generally bring their own hardware and software with them, which has, and will continue to be, used in other networks that may not have been secure -- something experts call "poor hygiene."

That problem can be exacerbated by the reality that companies focus more on cost than on security when outsourcing services. James Arlen, senior security consultant with the Leviathan Security Group, calls it a "maturity gap," where companies outsource to vendors that are "lean, mean and cheap ... but are the weak link through which bad things happen."

And according to Trulove, the use of third parties is increasing. He cited statistics that show contract workers have increased from less than a half of 1% to 2.3% since the 1980s; and that 42% of employers intend to hire temporary or contract workers this year -- up 14% over the past five years.

How can companies lower those risks. There are a number of ways. Among the basics are to change the passwords on every connected device a company and its contractors buy and to use both risk-based and multi-factor authentication -- the kinds of things Arlen calls "Infosec 101."

There is obviously much more to good security than that, he said, "but we are not doing a good job of the basics, which we've known in detail for the last 15 years."

Beyond the basics, experts say it is mandatory for companies to pay much closer attention to their contracts with third parties -- Service Level Agreements (SLA) or Business Associate Agreements (BAA).

Ulsch wrote that those contracts should, at a minimum, address the following components:

  • Information security;
  • Information privacy;
  • Threat and risk analysis;
  • Compliance obligation range;
  • Enforcement mechanisms;
  • Internal audit access and disclosure requirements;
  • Foreign corrupt practices management.

Raether and Ganow recommend that a BAA should require third-party contractors to, "comply with the same security framework imposed within the company." And, "where appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits."

Trulove offered several recommendations for what he called a, "governance based identity management strategy," that include:

Even with all that, Ulsch noted that protecting the integrity of information remains the primary responsibility of the company. "While various regulations may also hold third parties accountable, never assume that the obligation of compliance is assignable to another company," he wrote.

Finally, Arlen said a major weakness in BAAs or SLAs is that too often they are, "either focused on a specific compliance regulation -- be it PCI or HIPAA -- which is itself not a 'security' thing but rather a 'cover-asses-in-these-specific-ways' thing.

"The fix we need is meta-compliance -- actual security rather than theatre that smells like security," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags breach protectionrisk managementapplicationsthird party risksservice level agreementsSailPointbusiness managementphishing attackTargetFaruki Ireland & Coxat&tBusiness Associate AgreementsoftwareGlobal Cyber Riskdata protection

More about FIC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place