In 1624, John Donne wrote his most famous poem, No man is an island. In it, he meditates on how any loss or death affects us all. The poem begins:
No man is an island,
Entire of itself,
Every man is a piece of the continent,
A part of the main.
In IT, security it is no different, as we tend to focus on our own borders and perimeters and forget that all our suppliers should be equally culpable when it comes to security. Instead, today’s businesses are no longer self-contained islands. In enterprise IT, we are more likely to work with third party providers or outsourcers, with cloud services and consultants.
The reason behind this is simple: the availability of skills for hire has gone up, but the economic argument for keeping those skills in-house has diminished. While this trend for outsourcing or using third parties can free up budget for other things like innovation or further investment, it doesn’t mean that we can give up on security. Instead, we now have to manage how compliant those outside vendors and other third parties are with existing information security standards. When we don’t own the IT assets involved or manage those devices, this is easier said than done.
Complying with our internal policies and government regulations therefore becomes a skill in its own right. Assessing this compliance has never been easy, but it’s getting increasingly complicated, and the stakes are getting higher. While your organisation may have gone to great lengths to secure its IT infrastructure, the vendors and other third parties with remote access to your systems and data can make you vulnerable to breaches.
The risk from trusted third parties is real
Partly, this risk can be explained by things being ‘out of sight, out of mind’. Suppliers, consultants, service providers and partners should be trusted, and will always state their own support for secure processes. However, this degree of trust should not be absolute. If a supplier is careless, lax or inept with regards to security and compliance, you need to be proactive and find out.
Last year, hackers stole 15 million T-Mobile customer records that were stored on a server belonging to Experian, which was providing credit check services to T-Mobile. This piece of IT infrastructure slipped between the cracks of different departments, companies and roles, leading to a successful attack. Other attacks via third party suppliers have included the likes of Sony, AT&T, eBay and Target. Checking that suppliers are following their own processes and using any approved security tools as part of gaining remote access can be difficult. After all, you have no direct control over what tools are being used, even if contract agreements state what should be in place. However, it is possible to audit and check that best practices are being followed.
These checks will normally involve business process control assessments that are conducted via regular surveys. These surveys evaluate critical areas of a supplier organisation such as its business continuity plans, physical and environmental security tools and practices, operational risk safeguards and human resources procedures. As part of this, checking that security standards are in place and actually being followed can be determined. However, surveying third party providers is more complicated today than it was in the past. There are more rules and policies to check courtesy of regulators and industry groups, while there should also be your own internal corporate governance and policy in place too. The rules themselves aren’t getting simpler, either. In response to the increasing risk that surrounds IT, more guidance on security and data protection is being implemented.
New directives like the European Union’s General Data Protection Regulation (GDPR) and Network and Information Security (NIS) can help companies ensure that they put best practices in place, but they will also require deeper, more detailed and longer surveys to be able to evaluate levels of compliance. GDPR also points to putting a dedicated contact in place for data protection within companies who will be responsible for the security of customer data.
Polling all the contacts that might have access to IT infrastructure is becoming a bigger challenge, as more people have access inside your organisation as well as those outside of it. According to research by the Ponemon Institute, 60 per cent of companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, often citing lack of having the internal resources to check or verify or that the third party will not allow for independent monitoring.
To cope with this, you can automate much of this risk assessment gathering by simplifying the design, distribution, tracking and management of multiple internal and external risk assessment surveys. These surveys also have to be conducted regularly, to show that auditing is being maintained over time. Rather than relying on manual work to pull together the results from spreadsheets or interviews, automation can make it easier to track how third party vendors are responding over time.
Pulling this information together into one place can help companies get better visibility into the network of third parties that they work with. By getting more clarity into this over time, you can manage the risk of giving third parties access to your IT systems and protect your business. Just like in Donne’s poem, the impact of any loss affects us all. The end of Donne’s poem is as follows:
Any man's death diminishes me,
Because I am involved in mankind,
And therefore never send to know for whom the bell tolls;
It tolls for thee.
In enterprise IT, any security issue that affects a third party provider can result in further problems for our IT as well, due to how interconnected our businesses are today. The result of this is that no business can afford to let security processes and auditing fall away, lest it diminish ourselves.
Hariom Singh is Director, Policy Compliance at Qualys. At the company, he helps clients secure their cyber infrastructure and exceed their IT governance, risk and compliance (GRC) goals.