According to the PWC’s 2015 U.S. State of Cybercrime Survey –
- Sixty two percent of companies evaluate the security risks of third-party vendors
- Fifty Seven percent evaluate security risks for contractors
- Forty two percent consider supplier risks
- Twenty three percent don’t evaluate third-party security at all
“I’ve seen a change happen where in the beginning, the vendors would say, ‘No, we’re secure, trust us. We don’t have to show you our security process, we don’t have to show you the results of testing,’ to today we’re seeing vendors having to provide assurances to their customers about their security programs,” Veracode co-founder and CTO Chris Wysopal said
Steps to consider:
Audit your company
As per Joe Schorr, director of advanced security solutions at Bomgar, the first step should be to focus on yourself.
“A lot of the third-party access seems to be kind of ‘fire and forget.’ ‘We decided to outsource this function, so let’s nail up the VPN, get these guys in, get them working’ — and then people tend to walk away from it,” Schorr said.
“Go back, do a good internal audit of who’s accessing what at the very least, and then get a little bit deeper: why are they accessing that, who gave them that, who’s the internal sponsor for this activity?” Schorr said. “Start peeling that onion a little bit.”
Audit third party vendors
Any vendor should be capable of providing you with that kind of information, Wysopal said. “If they say, ‘No, we don’t do that,’ or ‘We don’t share results on our internal security,’ they probably do, and they’re just trying to make you go away,” he said. “One of the things we’ve learned is that if you push hard enough, they say, ‘Yeah, you’re right. We have had a third party audit, and we can show you the results.'”
Too many companies, Schorr said, examine these issues, both internally and externally, once in detail — but fail to follow up on a regular basis.
“Even when they do it right, they tend to leave those activities in the dust and just hope they’re good for another 11 months and three weeks until they launch that audit again,” he said. “The most effective thing I’ve seen is to do it quarterly.”
Use of Technologies
“I call it the three Ps: Property, something that’s Profitable or something that’s Personal,” he said. “When you need to protect that, you should probably be talking about encryption. I’m not a fan of encrypting everything on network — I think that’s crazy — but the stuff that keeps you awake at night that you’re trying to protect, that’s the stuff for which you should be looking at some kind of an encryption scheme.”
Get It in Writing
Contracts do not need to be complex, he said. “It can be something as simple as ‘Here’s what your system should look like to connect to us, you’re going to have to go through this special connection we’ve set up, you’re going to be recorded while you’re doing all of that, and here’s our recourse if something bad happens and we find out it came through you,'” Schorr said. “That may be just enough to get people to take the extra couple of steps to do some basic security stuff on their end.”
Get your personal as well as office laptops encrypted by Alertsec
Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.
Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.