Even those outside of the corporate world are probably aware of some of the cyber security incidents that have occurred in recent years with well known companies. Target, Home Depot, AT&T and many other marquee companies have had to deal with hacks into their systems that compromised sensitive information. What is probably less known, is that the majority of these Cyber Security breaches were actually due to failures by the vendors to these companies, rather than directly by these companies, that acted as vectors for the malicious acts.
To use one specific and well known example, it is Target who’s reputation was damaged and that is blamed for the theft of their customer’s credit card data, not the vendor they hired to manage their credit card authorization process, which had failed to encrypt Target’s credit card data during transmission (while Target had properly encrypted the data within it’s systems).
What is also probably less known is that for some of these Cyber Security Breaches, the total costs incurred by the companies in dealing with the consequences has often been over a quarter of a billion dollars. Board members/owners are typically sued as well. So the importance of Cyber Security is quickly becoming a hot topic in the corporate world.
But there are some companies who still feel they don’t need to worry about Cyber Security. We met with one company that only did B2B transactions, and they actually stated that “hackers aren’t interested in us, because we don’t have any sensitive customer data”. Several months later, they discovered their B2B customers could not access their portal, because their domain had been black listed as a pornography site. Hackers had gained access to their servers, and were using them to store and serve up the pornography. Hopefully this illustrates that Cyber Security should be on the radar of EVERY Company.
Given that the majority of Cyber Security Breaches are due to weak controls in third party vendors, it is extremely important to not only assess and implement best practice controls for your own systems, but assess the cyber security controls in place with your vendors as well.
For companies that use third party vendors to outsource various IT functions, an efficient and effective process needs to be developed to asses these vendors. This process needs to be integrated into the procurement process, and typically incorporates the legal department and Internal Audit or other area with sufficient technical expertise to perform these assessments of vendors.
The assessment needs to be completed prior to the actual utilization of the vendor’s services. So ideally, as soon as a Requisition or RFQ process is initiated, the systems and processes involved would trigger the review process for IT related vendors.
A very cost effective method of performing the assessment is to have the vendor complete a questionnaire designed to capture what policies, procedures, and mechanisms the vendor has in place to create a control environment that minimizes the likelihood of a Cyber Security Breach, as well as the maturity of these processes within the organization.
In addition, the legal department of an organization should develop standard terms and conditions and SLA’s that that require IT vendors to warrant compliance with certain minimum standards and best practices related to Cyber Security. The Legal team will need to work with Internal Audit or other experts in what these terms/SLA’s should contain.
Typically, a project team comprised of Procurement, Legal, IT, and Internal Audit members is needed to design the processes and mechanisms to ensure Vendors that will touch IT systems have adequate controls in place to prevent Cyber Security Breaches.
The design of an effective Vendor Assessment process might look similar to this:
1. A requisition is submitted to Purchasing/Procurement involving the purchase of outsourced IT services (a flag in the system would be leveraged to indicate that the category of purchase relates to IT)
2. This Flag would trigger a dedicated resource to review the nature of the services and assess whether or not a Vendor Assessment should be triggered (this person could be in Purchasing, Internal Audit, or Legal)
3. If they decide an Assessment is merited (based on pre-defined criteria), they assign the assessment to someone qualified to do such an assessment, with either an internal or outsourced resource.
4. The Assessor gathers material from the Vendor pertaining to their Cyber Security practices (who will be happy to provide such information to win your business). This information may include pre-existing certifications, such as PCI-DSS QSA, SOC1, or SOC2, but typically also needs to include specific policies and procedures that are in place at the vendor related to Cyber Security. It is a big red flag if you ask them to give you their policies regarding Identity and Access Management, and they can’t provide them! (This assessor should be familiar with best practices and the various frameworks that have been developed related to Cyber Security Controls. They should also be able to ask follow up questions to assess how mature the controls are. For example, just because a policy exists, does not mean it is effectively implemented or being followed within an organization.)
5. One of the controls that needs to be verified is that the Vendor assesses its own vendors!
6. The results of the assessment are analyzed and the Vendor is given a risk score. If the score is not adequate, that vendor should not be utilized and the quoting/RFP process should continue with other candidate vendors.
At Simple GRC, we specialize in designing and implementing such vendor assessment processes in a highly cost effective way, leveraging web based questionnaires for vendors to complete, designed utilizing best practice frameworks. We also help:
- Design and implement integrated procurement processes that trigger a workflow process and execution of the information gathering and assessment process.
- Provide expertise in the gathering, review, and evaluation of information from vendors from questionnaires, and in on-site audits, to determine the cyber security capabilities of vendors.
- Assist Legal teams in developing standard Terms and Conditions for use with IT vendors to put in place SLA requirements that ensure compliance with Cyber Security best practices.
- Provide related services, such as Attack and Penetration testing and employee training and awareness programs.
- Assist in the development of Crisis Management Plans pertaining to Cyber Security Incidents, so that when an incident occurs, every one knows what to do (and what NOT to do).
- Assist with forensics and the aftermath of a Cyber Security incident when and if they do occur.
It is unfortunate that we live in a world with so many malicious actors. Many of the malicious actors are actually state sponsored. So if your business is linked in any way to the infrastructure, it is likely that it is or has been a target for hacking. The prevalence of malicious actors attempting to hack into company systems has even begun to result in a slew of new legislation. For example, in Georgia, legislation has been proposed, and may have already passed, that requires certain companies to maintain Cyber Liability Insurance and that mandate Vendor Risk Assessments from a Cyber Security standpoint.
Do not allow your company to be the next company on the news reporting that it has been hacked. The proper stance to have is that it is not a matter of whether or not hackers will attempt to hack your company, but a question of “When” they will attempt to hack into your systems. And history shows that the most likely vector for an attack will be through your vendors, which makes developing a Vendor Assessment process critical.