A 2016 survey by the independent Ponemon Institute, shows that 56 percent of organizations have had a breach caused by one or more of their vendors.
Yet, fewer than one in five companies, 17 percent, felt their organization effectively managed third party risks. Less than half said that managing outsourced relationship risks was a priority in their organization. That thinking has turned into a serious mistake for many.
Hackers view small to medium size businesses as less protected and a potential back-door entry to larger organizations. Last year Target paid $18.5 million to 47 states for a 2013 breach created when criminals entered Target’s system through a refrigeration, heating and air conditioning subcontractor. Yahoo also experienced a massive break-in caused by a third-party vendor.
Did the Target HVAC contractor gain back his reputation? The damage to smaller companies, with fewer resources to recover, can be devastating. Yet, more than half of companies don’t keep a comprehensive inventory of third parties that share their sensitive information—or are allowed free remote access to their network.
Also unsettling, is criminals can continue to create risks even ‘after’ vendor termination, taking advantage of patches and outdated software. Unfortunately, this is the soft underbelly—the entry point for many vendor connected breaches.
There’s a saying in the managed security industry that you’re only as secure as your ‘least secure’ contractor. Managed security can minimize the risk of hiring a third-party vendor if you can find the right one. Here are questions that can peel back their vulnerabilities and raise the red flags.
Before hiring a managed security partner ask if they:
Invite managed security companies to your site to meet. Let them put a trained eye on your current security.
Here are some questions they may ask you:
Most likely you’ve done a good job vetting your primary vendors. Considering the heightened threats, it may be time to entertain the hiring of a managed security partner who can walk ‘downstream’ and make sure your primary vendors and their subcontractors can do no damage to your sensitive data, customers and your bottom line.