Building a network of trust: Don't let partners be your weakest link in cybersecurity

Bringing third-party vendors or partners into your organization changes the threat landscape. Here are five best practices to protect your enterprise.
Written by Conner Forrest, Contributor

As technology and its implementation continue to grow in scale and complexity, organizations increasingly look to third-party vendors and partners to help accomplish their goals. In short, with the modern extended enterprise, "there's a lot more reliance on outsiders," said 451 Research security analyst Garrett Bekker.

Vendors and partners can be useful in helping enterprises take full advantage of emerging tech tools; however, the extent to which businesses are bringing them into their environment can cause some problems in managing the organization. And this often goes beyond working with a handful of partners -- one large financial institution in New York once had around 20,000 external vendors that it dealt with, Bekker said.

In addition to complexity of management, vendors also bring new vulnerabilities into an organization. Partners and vendors have their own processes, their own methods, and their own authentication practices, and could provide a way into your network for attackers. The widely-cited Target hack, in which a compromised vendor led to a data breach for the retail giant, is one example of this.

SEE: Hiring kit: IT vendor manager (Tech Pro Research)

Still, it's nearly impossible to do business today without working with vendors or partners in some capacity. Fortunately, there are some steps that IT and business leaders can take to protect their organisations. Here are five best practices for proper cybersecurity in vendor and partner relationships.

1. Know what you're protecting

As simple as it sounds, the first step to protecting your organization is clearly understanding what data you have, where it resides, how much of it is sensitive, and how you can control access to it. Some businesses fail to even understand the scale of their infrastructure. Bekker said that he has worked with companies in the past that, when questioned, think they have around 200 databases -- when the real number was revealed to be closer to 5,000.

It may be nearly impossible to track down every single asset, but at the bare minimum all of an organization's mission-critical and sensitive data should be accounted for. After locating where that data lives, make sure that no third-party partners and vendors have access to that location, if possible, Bekker said. If they need certain data, consider establishing a proxy from your organization who can access it on their behalf.

Sensitive resources should be treated with the utmost care, and organizations should implement multi-factor authentication to make it more difficult for a third party to access it. Consider what levels of access partners will have, and what data that gives them access to. Also, adopt tools to monitor third-party movement in your network, Bekker said, and be on the lookout for any patterns that may be out of the ordinary.

"Look for anything suspicious, like, 'Hey, why is this admin downloading all of these files at three o'clock in the morning on a Saturday night, and saving them to a thumb drive?'" Bekker said.

Other questions to ask are whether or not sensitive data in encrypted, if the organization has a data loss prevention plan in place, and the proper tools to implement it. This could help mitigate some of the damage done by a breach.

2. Know the outsiders

Once an organization understands what's at stake, it must also consider the weight of bringing outside vendors into its environment. Even if both parties share the same goals for their partnership, they may approach it in completely different ways.

Because of this, company leaders must seek to understand just how many third parties they are doing business with. At the onset, this seems easy, but there are almost always more variables lurking below the surface. Determining the number of companies with which a formal contract has been drafted is one thing, but security leaders must also develop a strategy for addressing shadow IT.

Because some employees or managers are so used to the instant gratification offered by cloud apps, they may be willing to bypass the IT vetting process for new tools and services.

"A certain department has a project to get done, and they don't want to wait for IT, they'll just go out and download a SaaS application, or open an account with a SaaS application, pay for it on their own account, and expense it through their project budget," Bekker said.

Now, you have a bunch of other third parties involved in your organization, whether you want them there or not. So, work on developing a policy around shadow IT, and allow for open communication. After all, you cannot secure a vendor if you don't know that they are a partner in your organization.

3. Determine your metrics for security

In order to keep vendors and partners from becoming a weak link in cybersecurity, businesses must determine the metrics by which they will measure third parties' performance. John Pironti, president of IP Architects, noted in a paper that proper metrics will initially provide both positive and negative thresholds for performance, along with business context that can be used to weigh the behavior.

When possible, the third parties in question should be looped into the process and made aware of the metrics. This will allow for the development of common language to be used in the measurements, and for both sides to understand what is expected of them, Pironti noted in his report. Some metrics will be actionable, while others will merely be informational, and it is important to denote the difference.

Make sure legal signs off on the metrics in question, too. "In some cases their existence can be a considered a liability to the organization and should not be generated or documented," Pironti wrote.

Finally, be consistent in both collecting data on these metrics and processing it, Pironti wrote. This makes the metrics more useful historically, as they can be compared and contrasted across the life of a vendor relationship.

4. Address risk in your contract

Addressing risk directly in your vendor or partner contract goes beyond simple metrics by outlining exactly what's expected from each partner, and clearly laying out the consequences to contrary behavior. At a high level, Bekker said that businesses can use their contracts to define the steps they want partners to take when they are working in the company's network.

For example, a customer organization could require that all of a vendor's employees use multi-factor authentication, or that they encrypt data using a specific form of encryption. In a separate report, Pironti recommended including these five clauses in a contract:

  1. The right to audit a partner
  2. Software maintenance and accountability from a vendor
  3. Verification of compliance and regulatory requirements
  4. Disclosure of open source software components
  5. Flow down attestation

Proper security clauses will help "ensure there are both revenue and business based incentives for them to effectively implement and maintain appropriate security controls and capabilities," Pironti wrote.

5. Audit your partners

Once the clause is in place, it's critical that customers regularly audit the partners they are doing business with. Bekker said that there are companies that will do this for you, or your organization can develop its own process.

In this process, questionnaires are often used to help the business assess security and financial risks posed by vendors and partners. Simple questions that can easily be scored with a "yes" or "no," or along a five-point scale, are a great way to see how certain vendors may stack up regarding your security needs.

As with overall metric collection, consistency is key in your audits. During the partner audit process, take steps to compare recent scores with those in the past to gauge the consistency of your vendor's behavior.

However, bear in mind that your vendors and partners will have some questions of their own, and they might have a specific way that they plan on responding to your questionnaire. Before answering, vendors will consider how your organization may use the data, how it may be secured, and more, Pironti pointed out in a 2010 ISACA post. Make sure that your policies are clear regarding these concerns, and work to respect your vendors' needs as well.

Also see

Editorial standards