Target. Delta Airlines. MyFitnessPal. MyHeritage. Applebees. Very different types of businesses, but they do have one thing in common. All were victims of a data breach that had its roots in a third-party vendor.
When working with third-party vendors, security must be a shared effort. And it isn’t just your direct vendor contact that you have to worry about; a vulnerability in a vendor’s vendor could end up causing you a lot of headaches – because one thing we know is that it is the big-name enterprise that takes the greatest fall when a third party’s security is weak.
How do you best ensure that security is a shared effort and that your vendors are doing an above-adequate job in meeting not only basic security levels but also compliances and regulations dictated by government and industry standards? I had the chance to interview Lee Barrett, executive director of EHNAC, a federally recognized standards development organization and accreditation body for health care organizations. EHNAC works directly with third-party vendors all across health care to ensure the companies are meeting industry standards for business processes, privacy and security, regulatory compliance, etc. so that the companies that work with them can have trust that they will handle their data to the highest level.
SMP: Why is third-party security such an important issue for enterprise?
LB: Third-party assurance is critical for the following reasons:
- Objectivity: An entity that is contracted has no political agenda and is not influenced by the internal politics and can therefore make recommendations and identify gaps where internally there may be limitations.
- Expertise: A third-party organization that is engaged has significant expertise working with a number of other organizations and that experience can assist organizations in identifying additional vulnerabilities, gaps and implement appropriate risk-mitigation strategies.
A vendor should, of course, have cybersecurity systems in place for their own safety. Are those systems enough when they then work with another business? If not, what additional layers or steps should be taken to add that level of security to someone else's business?
We suggest that organizations with their own cybersecurity systems should also contractually require that third-party vendor organizations and outsourcers have third-party certification/accreditation to further provide a level of assurance as part of an organization’s risk mitigation strategy and planning.
SMP: How do issues like compliance regulations fit into third-party security and how are they best addressed?
LB: Compliance regulations always need to be factored into third-party security as they may raise the “bar” that needs to be the standard for that organization to be measured against. In most cases, the requirements are raised and the metrics are increased so organizations must always be monitoring and vigilant regarding compliance regulations. Additionally, organizations should monitor and be aware of any best practices in support of compliance regulations so they can implement processes to further support their internal risk mitigation planning.
SMP: As a vendor, what should be done to work with enterprise to ensure cybersecurity is a priority for everyone? What steps or procedures are involved to ensure vendors are meeting industry standards for business processes, privacy and security, regulatory compliance, etc.?
LB: We strongly suggest that organizations having their own cybersecurity systems should contractually require that third-party vendor organizations and outsourcers need to have third-party certification/accreditation to further provide a level of assurance as part of an organization’s risk mitigation strategy and planning. By implementing a third-party assurance process, it provides the oversight required for vendors and outsourcers used by an organization to assure compliance with guidelines that they implement in an effort to reduce their exposure to a breach or cyberattack.
SMP: Should you create a security policy or plan? If so, what should go into it?
LB: Yes, absolutely. In addition to administrative, physical and technical safeguards as part of a HIPAA Security Policy/Plan, there are other best practices that should be considered for inclusion, including: email protection systems; endpoint protection systems; identity and access management; data protection/loss prevention; IT asset management; network management; vulnerability management; establishment of a security operations center and incident response; medical device security and cybersecurity policies.
SMP: What if the third-party vendor suffers a security incident? What is their responsibility to the enterprise it works with?
LB: The entire process for breach/cyberattack needs to be clearly outlined in the Business Associate Agreement (BAA) and enforced contractually to minimize impact to the organization. If the entity has an Incident Response Unit, the vendor would work closely with them to manage communications to affected parties and media (as appropriate). The entire response process should be implemented with the intent of minimizing impact of the incident and executing the response plan as quickly as possible, including a business continuity plan if appropriate.
SMP: Any other thoughts you want to share about third-party security?
LB: Third-party security and management is a critical component to any organization’s risk mitigation and business continuity planning. Organizations need to ensure that they have a proactive plan to manage vendors and other outsourcers performing services on their behalf. One of the best ways to mitigate this risk is through the implementation of a contractual obligation to require any third parties to have the appropriate certification/accreditation and to be managed through a Third-Party Assurance entity.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba