What if the biggest security risk your company faced was from an employee at a trusted vendor company? Third party risk management, or vendor risk management, is an emerging cybersecurity practice that larger companies are using to mitigate the risk that smaller, network connected third party and vendor companies can represent.
The classic example of the dangers a vendor can bring to another company is the 2013 Target Christmas Hack. The original location of the breach was the remote monitoring network connection that an Ohio based HVAC company had with Target to manage refrigeration and air conditioning systems. Following this breach, many large companies began looking at the security policies and practices of their smaller vendor companies. What was discovered, of course, was that most of these companies did not have any formal security policies or procedures.
If you own or manage a small business and you are in the supply chain of a larger company, you have undoubtedly received a letter or email from the cybersecurity team of this large customer asking you for a review or audit of your cybersecurity program. If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171 and DOD 858201p.
This is a list of the scrutiny to which you may be subjected. Remember, the client firm is making a determination as to the fitness of your company to continue a vendor relationship. You could end up losing your customer if you are not meeting their expectation for cybersecurity compliance.
- This may include a financial records audit.
- A review of data transactions and data processing.
- Regulatory compliance with any government (HIPAA, GLBA) or industry (PCI-DSS) regulations that may apply to your business.
- Basic and advanced security policies and compliance.
- Computer acceptable use policies
- Computer incident response plan (CIRP)
- Interviews with key personnel.
- And most certainly it will include a network vulnerability assessment or penetration test.
The mistakes your company may make will impact the client. Remember it was Target that was sued, not the HVAC company. After they initial screening they will want the following:
- Ongoing security monitoring.
- Ongoing security due diligence.
- CIRP tabletop simulations with client IT staff present.
To ensure that communications between your vendor company and the client are secure, expect to be required to use the following techniques.
- Two factor authentication
- Permission based network segmentation and access.
- Use of secure connections such as VPNs
- The presence of security devices on your network, such as firewalls, intrusion dection and prevention devices (IDS or IPS), unified threat management platforms such as AlienVault.
Part of the requirement stack that your client will require from your organization is an ongoing monthly, quarterly, or annual cybersecurity awareness training program. This can include.
- Phishing simulation
- On-site live, online, or video training
- CIRP tabletop simulations with your internal staff only.
This is the sort of examination is what you can expect to see from larger key clients this year, if you have not been subject to them already. It can be expensive to set up a security program that complies with their requirements, but in the end this will protect not only your client, but other clients, and your own business from intrusion, disruption, and financial loss.