Three Questions To Ask Third-Party Vendors About Cybersecurity Risk

News Room

Director, Global Field CTO, Sophos.

We live in a world where we measure everything. We rely on IQ scores to gauge cognitive abilities and the EQ to understand interpersonal intelligence and metrics like the GDP and EPI to evaluate nations’ economic and environmental performance. These assessments help us gain insights into many different aspects of our lives, enabling us to make better decisions and navigate challenges with greater understanding.

But when it comes to the digital arena, how can we apply this same rigor to evaluating the security of our software vendors and managed service providers?

The intertwined IT landscape amplifies opportunities for bad actors.

The interconnected nature of today’s IT and cybersecurity landscape means organizations rely on more third-party vendors than ever. While these partnerships help organizations access specialized expertise and resources, the increased reliance on third-party providers contributes to the growing number of software supply chain attacks.

Software supply chain attacks occur when a bad actor infiltrates a software provider’s digital infrastructure to inject malicious code into their software or software updates. This efficient method of attack enables cybercriminals to move laterally, gaining access to the wide network of organizations that rely on the vendor’s software. More often than not, this results in bad actors stealing data or launching attacks on the provider’s customers.

For example, consider the hack involving SolarWinds and other companies that was disclosed in December 2020. A suspected state-sponsored hacking group infiltrated the network and, according to the Government Accountability Office, the attackers then compromised the software product with trojanized (hidden) code. The file that contained the trojanized code was included in the software update, releasing the compromised update to a wide range of customers, including corporations and government entities. As a result, the threat actor could remotely access infected computers.

Such attacks place customers at risk, even if the organization adheres to best cybersecurity practices and has robust defenses in place—which underscores the importance of vigilant vendor cybersecurity.

So, in the same way that we’ve harnessed metrics to assess many other facets of our lives, there’s a need to determine how to evaluate the effectiveness of providers’ cyber defenses.

Ask these three questions to assess vendors’ security practices.

Software vendors and managed service providers remain prime targets for cyberattacks, which makes your ability to assess their security imperative. While there’s no one quantitative method of measuring the strength of an organization’s cybersecurity, you can start by asking these questions:

1. Are they certified by a reputable security organization?

One of the first things you should look for in a provider is whether they either have or are actively pursuing at least one (but ideally both) of the following certifications: the International Organization for Standardization (ISO) 27001 and the System and the Organization Controls (SOC) 2:

• ISO 27001 requires organizations to establish and maintain robust information security management practices, which include access controls, incident response and asset management.

• On the other hand, SOC 2 ensures organizations that handle client data have thorough data protection measures in place.

These certifications demonstrate a provider’s commitment to maintaining high standards for information security and customer data management.

2. Are they transparent about their security policies and procedures?

Search for providers that not only have well-defined security policies and procedures in place but are also transparent about these practices. This means the vendor provides public access to their security policies and procedures, and their policies address all aspects of cybersecurity, including incident response, data security and vulnerability management.

Additionally, consider speaking with or reading reviews from a vendor’s current customers to gain firsthand perspectives on their experiences with the provider. By speaking with customers, you gain unbiased insights into the vendor’s security strengths and weaknesses, as well as the customer’s overall satisfaction with the provider.

3. How effective is their incident response?

If a provider has the ISO 27001 certification, you can likely assume they have effective incident response capabilities in place. But given the importance of a third-party vendor’s ability to effectively respond to incidents, it doesn’t hurt to investigate further.

Ask potential vendors about their incident response plan and how they have responded to past incidents, if applicable. The organization should have a communication plan, a business continuity plan and specific incident response procedures for various types of attacks. These practices help minimize the impact of breaches and demonstrate a provider’s commitment to transparency and accountability in handling security incidents—crucial elements in maintaining trust in a partnership.

Ensure vendor cybersecurity vigilance with a bulletproof assessment strategy.

Unlike the GDP and EPI, there isn’t a universal scorecard to evaluate the security postures of software vendors and managed service providers. But, as the need to vet partners in your software supply chain grows, you can develop internal processes and assessment criteria to ensure a comprehensive assessment of potential vendors and their security practices.

Consider metrics like response time to patch vulnerabilities and frequency of security incidents when comparing vendors. The result is that you can make more informed decisions about these partnerships and defend your organization against emerging software supply chain threats.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Read the full article here

Share this Article
Leave a comment