In 2013, malicious actors gained access to retail giant Target’s point of sales systems thorough an unlikely third-party: heating and cooling contractor, Fazio Mechanical. Fazio and Target shared a data connection for electronic billing and project management, and criminals first breached Fazio through phishing emails and then exploited the shared connection to breach Target and push malware to point of sale systems, ultimately collecting credit and debit card data from more than 40 million customers. In 2013, Target reported the cost to them in settlements and representation topped $292 million – not including the massive losses stemming from the reputation hit with shoppers who are still talking about it almost five years later.
Most organizations have multiple partners with physical or logical access to their information and information systems, and few institutions have done assessments on the full scope of risk introduced. Access can range from cleaning contracts to vendors operating their entire IT infrastructure as a Managed Service Provider. We have found that organizations do not effectively account for these third-parties; below is a process for gathering cybersecurity vendor management requirements and building a program that fosters protection of sensitive data.
Step 1: Develop a Data Classification Guide
Organizations must conduct a thorough analysis of the different types of data that are processes and promulgate a concise guide for employees and auditors that delineates the protection and handling of each type of information. An example of data classification might be:
- Publicly Releasable Information
- Confidential Information (including personal identifiable information, personal health information, contract sensitive information, and other information that should be guarded carefully)
- Proprietary/Trade Secret Sensitive Information
There are no set parameters for data classification, other than the fact that the level at which each is prescribed to be protected should commensurate with the level of risk that exists with their disclosure.
Step 2: Establish a Risk Management Program for Third-Parties
When a third-party is provided with physical or logical access to an organization’s information systems, risk is introduced. Risk is comprised of two elements: likelihood and impact. It sounds simple, but the analysis of risk from the scope of a third-party’s access is frequently. The decision to outsource and the nature of the outsourcing must be fully understood, captured, and reviewed regularly. In addition, it is important to build a program that is standardized, repeatable, effective, and efficient. This can be done by categorizing vendors into several categories and having standard mandated controls for each category. Consider the following as an example:
- High-Risk Vendors: Vendors who handle or have access to data that, if exposed, would pose great risk to the long-term survival of the organization.
- Medium-Risk Vendors: Vendors who have access to data that, if exposed, would pose significant short-term risk to the organization.
- Low-Risk Vendors: Vendors who, if compromised, would pose measurable short-term risk to the organization.
Each category of vendor will have its own standard set of controls, evaluations, and practices that would be exercised in line with the level of risk, generally as defined in Step 1.
Step 3: Make Security a Criteria in the Vendor Selection Process
While organizations can transfer the work effort, they cannot transfer responsibility for the security of their information. As a result, the reputation, credentials, and documented security controls implemented by third-parties should be a significant factor in choosing a vendor that will have logical and/or physical access to your information and information systems. Potential vendors should be required to answer a security questionnaire along with proposals that give an indication of their level of maturity in handling information and their trustworthiness for physical access.
Step 4: Evaluate the Scope and Level of Access Necessary for Vendors
Most organizations grossly underestimate the scope of vendors that have not only logical access but physical access to information systems. If an individual can touch a router or firewall, it is a given that they can control that device through the admin console. The practice of “least privilege” should be applied to giving third-party vendors logical and physical access, meaning that you should only provide the bare minimum of access to these outside sources.
Step 5: Include Cybersecurity Requirements in the Contract and Evaluate Regularly
By outsourcing services to an outside vendor, your institution may not be able to exercise the same level of control over the operations that you can through an in-house service provider. It is imperative that contracts with vendors include the right to audit, the right to conduct an annual security assessment, and a set of controls that are required, if applicable. Per the FFIEC Handbook, your organization’s contracts should contain the following:
- “Include minimum control and reporting standards”;
- “Provide for the right to require changes to standards as external and internal environments change”; and
- “Specify the institution or an independent auditor has access to the service provider to perform evaluations of the service provider’s performance against the Information Security Standards.”
Organizations should also conduct reviews of vendors to a depth and frequency commensurate with their risk. For third-parties that provide IT services, technical testing, including penetration testing, may be appropriate. At a minimum, vendor access should be regularly validated so that risk is understood.
Step 6: Encourage Teamwork
Organizations should endeavor to create a win-win situation with their vendors by providing clarity and helping them to create a culture of cybersecurity awareness by sharing resources such as training and email campaigns. The Department of Homeland Security provides resources that can be leveraged for free, and DHS releases additional materials and messaging during cybersecurity awareness month every October. More information can be found at the DHS Cyber Security Awareness site: https://www.dhs.gov/national-cyber-security-awareness-month
This article was originally published in the Western Independent Banker’s WesternBanker publication. It can be found here.