Mitigating Third-Party Security Risks

Share This TechTip

To function as a business today, we need technology. And the odds are pretty high that you get that technology from a third party.

It used to feel like you could just consider the other businesses’ reputation and take them on their word that you were safe from risks.

Today, we know that’s not really how things work and we now need to do our due diligence in validating that trust we have in them.

If your relationship with any third parties include things that must be kept private, or something you’re trusting and relying on being there for you, then today’s article is a good place to start to learn more about how to start tackling your third-party risks.

Isn’t This the Third Party’s Responsibility?

This is the tricky part. You may have agreements for certain levels of service and availability, but there can often be situations like a cyber attack or outage that is outside of their control.

Also, in the end, it comes down to your ability to show you made a conscious effort to select a safe vendor. If you work with regulated data and are in industries like insurance, you may have requirements to actually have a plan in place for this process.

Think about it from your customer’s perspective. What if your information was caught in a breach and you lost your retirement money all because your financial advisor chose a vendor with poor cybersecurity? Who would you ultimately blame? At what point do you separate the business from the tools they use?

So, yes, it is the third party’s responsibility to be protecting themselves. However, it’s your responsibility to validate that it’s sufficient based on the risk you are sharing with them.

How Do We Approach Third-Party Security?

Look at this in two phases, depending on what that piece of technology does and where it impacts your risks around the CIA Triad of Cybersecurity: Confidentiality, Integrity, and Availability (or think Privacy, Trust, and Reliability):

  • Secure what can be accessed on your end of their systems
  • Assess the third party’s security practices and determine if they are adequate based on the level of risk

To start this whole process, begin by listing out and tracking your third-party service providers. Take note of the level of risk based on the CIA Triad:

  • Is there information and data they’ll have access to that needs to stay private? What is the sensitivity level of that data?
  • Are we dependent on the trust in the data or processes related to what this third party is doing? What could the degree of impact on the rest of the business be if trust is compromised?
  • Are we dependent on this technology being there? What would be the degree of impact on the rest of the business be if it is not available when needed?

While it may not be easy to give specific answers to these questions, it can at least give you a way to compare systems and identify the most critical.

This will give you a way to prioritize your providers based on impacts to your business. From there, you can start working through those two phases.

Securing Your End

Depending on the type of system and the level of risk based on what can be done in it, you may often find different security controls that you can review and adjust.

Most systems don’t turn everything on by default.

Here are a few key areas to watch for as you explore the tools you have available from each provider:

(This is all general info that could vary by system. So, check your user documents and help pages to learn how to do these things, assuming they are available features.)

Authentication Controls

We want to make sure we’re letting only the right people in. Most systems are going to have controlled access through a user login, but you will want to make sure you review this part of the process to create layers of security (it’s like adding a deadbolt and chains to lock a door).

These would include places where you can set Password and Multi-Factor Authentication controls.

Depending on the system and what other tools you use, you may be able to create a Single Sign-On (SSO) experience for your users to make things easier (just make sure the SSO tool is also well secured since that can be used to potentially access the connected systems.)

You may also be able to set and control Login Restrictions that determine when your users can access this system, and from what locations.

Access Privileges and Security Groups

Once people get in, now we need to think about what they can do.

A comment I hear often is that “we trust our users”.

It’s a great sentiment but it’s not because we don’t trust them. The concern is that if their access is compromised – we don’t want more exposed than necessary.

So, we need to look at ways to minimize our digital footprint for each user.

When possible, look for different security settings around access or groups that you can create to make it easier. Typically, you will find various controls around access privileges within the user setup options.

Import/Export Controls

If data can come and go in your system, we want to know how we can control it. This may fall into a user setting for access privileges or it could be controlled more globally.

We want to pay particular attention to who is allowed to export data and make sure we review our options.

In addition to privileges around this, consider the ability to edit information. This falls more into that “Integrity/Trust” area of risk, but we want to make sure we’re protected from ways people could manipulate information or delete it.

Document Privileges

The same goes for documents. We need to look for ways to protect them from the wrong people seeing them, as well as manipulation and deletion.

Check your systems for different ways you can control the types of documents or files people may have access to and what they can do with them.

You may also find different tools to help with data security and data classifications. Sometimes there can be controls available to set the level of security on individual documents based on the confidentiality or security level applied to them.

Audit and Access Logs

While you explore your controls, keep an eye out for various logs, reports, and tools you can configure that could help investigate suspicious activity.

You will want to know what you have available and where it’s located. You may also need to determine how far back data is stored for some systems because you may need to look at activity spanning several months.

Look for any logs and reports around user logins, user activity, and anything that can audit changes in the system to data or files.

This type of information is critical to identifying suspicious activity and conducting investigations.

Integration, API, and Connectivity

If your system talks to others through some form of connection, whether an integration, API or something else that was created, you want to secure that connection and consider if another third party is becoming involved.

Take time to understand what this integration means for your risk. Think again about the CIA Triad and what this connection puts at risk so you can start to think about ways to protect it.

Assessing Your Service Providers

While we need to take responsibility for securing our end of the systems we use, we also need to consider how things are protected on the vendor’s side of things.

This is beyond just asking about their data center and hosting, but may also include questions about their overall security practices as an organization.

For large enough businesses that get these questions a lot (like Microsoft, Google, Amazon, etc.), you may find landing pages where you can locate security and compliance artifacts. Typically, it’s not uncommon to have to log in to retrieve this information.

For others, you may need to get in touch with them to get help answering your questions.

Consider the level of risk you share with the third party to start to determine how deep you want to go into assessing their security practices. Some businesses may go as far as asking for various security reports or policy and procedure documents.

Keep in mind that businesses should guard this information and may be hesitant to share too many details to protect themselves should it get into the wrong hands. Be aware of the fact that you may be asking them to share internal practices or that your questionnaire may have just created a bunch of work for them. (Another reason why you may decide to handle third parties based on level of risk instead of having a blanket approach for all vendors).

At minimum, you may consider asking about the following:

  • How are you identifying risks and taking action on what is found? (Consider asking about their practices around risk assessments, vulnerability management, pen testing, etc.)
  • Do you have documented best practices based on a framework? (Consider asking about any specific practices that matter most to you)
  • Do you have a documented Incident Response Plan? (Consider asking about being included in notifications about any potential breaches that could affect you)

In the end, a more formal questionnaire may be necessary. But, just getting started with a few questions can help you understand the risk you are taking with the vendor and help you decide if they are doing enough.

This can take a lot of work, and a lot of time to hear back from third parties. This is where it can help to have a list of providers where you can identify those that have the highest level of risk.

Resources

If you need help figuring out what questions to ask or want to build a more in-depth questionnaire, let me know – I’m working on a resource for that!

Also, grab my Risk Inventory Tracker for free to start collecting your service providers and other key items you should keep in an inventory.

And, check out SecureMyAgency.com for help in addressing cybersecurity and compliance in your insurance agency. We have some cool packages that give you an inexpensive way to get different types of help, or we’re also able to create something more specific to your needs.

This is being published during Cybersecurity Awareness Month, so also be sure to check out our October 2024 event page for more cool ways to learn about cybersecurity this month: rlsconsulting.co/October2024

Did you miss the Catalyit Live Session on this topic? Watch it now.

More TechTips To Explore

Cybersecurity

Pitfalls to Avoid in Your Cyber Journey

Many businesses are sitting down right now to finalize budgets and lay out their plans and goals for the new year. For those focused on creating a more formal cybersecurity approach to address cyber risk, Ryan Smith shares a few tips to help you through the process.

Read More »

Unleash Your Agency's Potential

Check out our Platinum & Premium Solution Providers.

Forgot Password?

Forgot Password?

Sign up for your free 30-day free trial!

 

Let's do this

Together

We’re thrilled to invite you into Catalyit. Fill out the form to get your free, limited access – your community awaits!

Already a Basic or Full Access Subscriber?

ALERT!

Vault videos are only visible to Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content and watch this webinar on-demand.

ALERT!

This content is only visible to Catalyit Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content.

ALERT!

This content is only visible to Catalyit subscribers!

Sign in, get started free, or upgrade now to unlock all Catalyit content.

ALERT!

Vault videos are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and watch this webinar on-demand.

Let's do this

 

Let's do this

Fill out the form below to get free Basic Access to Catalyit and activate your Trava account.

 

ALERT!

Solution Provider Profiles are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and learn more about this Solution Provider.