YOU’VE PROTECTED your client’s network from bad actors with firewalls at the network perimeter; anti-virus, anti-spam, and anti-malware software at the desktop; user education; and third-party penetration testing to find any soft spots.
But what about protection from malware and other breaches that can inadvertently come from the “good guys”; that is, the vendors, business partners, and other third-party organizations your client exchanges data with, and over whom you have no control?
The latter is a more likely scenario, according to Josh Feinblum, vice president of information security at Boston-based Rapid7 Inc., a provider of analytics solutions for security and IT operations. “Most small businesses will never fall into the crosshairs of a malicious actor, but they could find themselves embroiled in a broader breach response due to the poor security posture of their vendors,” Feinblum says. And in today's world, he notes, “A simple, high-level vetting of vendors can significantly reduce the risk of SMBs getting pulled into costly crisis situations.”
The Process of Protection
Establishing a risk assessment process is crucial in addressing this issue, according to Ryan Barrett, vice president of security and privacy at Mountain View, Calif.-based IT and services provider Intermedia.net Inc., “so you can ensure that third-party organizations connecting to your client’s systems are trustworthy.”
The process Barrett describes includes getting attestations and certifications on the organizations’ security measures and how they compare with standards such as NIST 800.53, a catalog of security controls for all U.S. federal information systems, and ISO 27001:2013 and/or PCI; as well as gathering verifiable documentation, such as SOC 2 Type II certification, that reflects independent compliance audits of the third party’s security standards.
A high-level vendor assessment can provide a wealth of useful information, notes Feinblum. “But avoid sending them spreadsheets with hundreds of questions, and instead focus on asking the five to 10 questions that matter most to you,” he says, “which should include very foundational questions around things like two-factor authentication, external penetration testing, vulnerability management, and patching.”
“Attestations and certifications are good starting blocks,” adds Brent Huston, security evangelist and CEO of MicroSolved Inc., a Columbus, Ohio-based, information security firm. “But the partners with whom you exchange sensitive/critical data need ongoing validation,” he explains, requiring “a system of ongoing monitoring, passive assessments, and other technical means to isolate ‘hot spots,’ and then putting pressure on those organizations in real time to mitigate.”
Ongoing efforts by SMBs to protect against attacks via business partners also include “treating all business partner interconnections as untrusted, and implementing strong prevention, detection, and response mechanisms,” Huston says.
To effectively address the issue of business partner, vendor, and other third-party threats, “SMBs should focus less on tools and more on process,” says Feinblum. He adds, “They must make sure they understand where their most sensitive data is going, and work to ensure that they are exercising some degree of diligence of third parties.”
Image source: Pixabay