As a society, we have come to depend on vendors and managed service providers to assist in business functions ranging from trivial to critical. These services we rely on support internal functions, client services and ultimately help companies grow and operate. Therefore, the importance of the security surrounding each solution should not be understated. However, many organizations overlook these services in their risk assessments. When evaluating vendors, it is crucial to understand their security stance for multiple reasons. Supply chain risks are becoming a more significant threat due to the effectiveness of the attacks. Data protection and compliance extend outside of organizations, which means you still bear responsibly for it.
Supply Chain Attacks
There has been an increase in major service provider compromises over the past several years. These attacks have gained momentum because attacking a single source can provide access to many. There is an even bigger incentive when it bypasses the potentially strong control of the target, by exploiting the weaker controls of the supplier. The SolarWinds breach is perhaps one of the most notorious where foreign actors leveraged the single attack to gain access to many critical networks. A similar scenario was seen with an attack on Kaseya, where the MSP platform was breached temporarily, putting thousands of organizations at risk for a period of time. Most recently, a PowerSchool breach potentially exposed millions of student records. Not just service providers, but software repositories are under attack as well. These repo attacks can undermine the delivery of secure code, and present attackers with footholds into an organization.
Assessing Vendor Security
One explanation for these attacks being so common is that customers don’t scrutinize their vendor security, thereby leaving them off the hook for secure operations. If a vendor is not pushed to secure a solution, many times they won’t as doing so is costly and can slow progress. Customers or consumers are not always thinking of the role vendors may play, the access they may ultimately receive, or the impact a breach of their resources may have. Further, many believe that if a function such as storing protected data is offloaded to a secondary provider, the original data custodian is no longer responsible, but this is not often the case. For example, if a patient trusts a hospital to store their record securely, it is up to the hospital to ensure that wherever the record resides is secure, regardless of the solution in place. This means whatever solution is in place must meet the full set of requirements expected of its customer, not just for functionality, but for security as well. Establishing data classification standards and requirements can help in this area, but it may not be enough on its own.
Safety in Numbers (or maybe not)
Too many companies rely on the safety in numbers approach. This means they choose solutions because everyone else is, assuming the previous consumers did their due diligence. This approach is flawed, and we have personally seen it proven to be a false paradigm on numerous occasions. If the phrase “it has to be secure because {insert bank here} uses it” is the security evaluation, trust us and start a new one.
Conclusion
This is all meant to demonstrate that there are many trusted pathways into a company that can have significant impact on data and operations. To combat this, a level of diligence and review of third parties is needed. Establishing security requirements for service providers, and regularly performing reviews is one way to lower risks in this area. Incorporating security and compliance requirements and attestations into contracts is another. When considering vendor selections, it is also important to understand their ability to recover and strictly outline breach disclosure expectations. These two elements can both play major roles in operations, especially for critical solutions or regulated data. At a minimum, any provider should meet or exceed internal requirements and should not create greater exposure through their use.
CTInfoSec is a strong advocate in conducting third party reviews, creating data classification policies, and cataloging where data resides. By regularly evaluating internal requirements, external providers, and asset inventories, risks can be reliably measured and kept within acceptable tolerances. If you aren’t sure where to start, contact us.