When officials at retailer Target Corp. investigated the 2013 data theft that affected up to 70 million individuals, they discovered the retailer’s electronic connection with a provider of heating and air conditioning services likely played a big role in the breach.
As Target’s experience shows, organizations’ connections with third parties, including those far removed from sensitive data, can trigger potentially crippling security compromises. The growing group of companies whose data security policies were breached via a connection with service providers includes AT&T, Goodwill Industries, and many others. Indeed, a report by PwC links current and former service providers to one-third of all data security incidents.
So why are business associates, vendors, and service providers leaving the back door open to hackers and other data thieves? In most cases, it’s vendors’ negligence, rather than malicious activities that’s led to the breaches, says Greg Rosenberg, security engineer with Trustwave, a provider of security services.
Companies are already scrutinizing their relationships with third-parties for risks that could land them in hot water for violating the Foreign Corrupt Practices Act. Now, that due diligence must extend to third-party data systems and networks that could expose companies to data breaches. It’s a risk health companies have focused on for years. Provisions of the Health Insurance Portability and Accountability Act (HIPAA) require companies that deal with any health-related patient information to put procedures in place for protecting and overseeing third-party use of that data. Monitoring third-party use and access to customer data is quickly becoming a “best practice” in all industries.
Even so, many organizations have failed to establish procedures to reduce the data security risks inherent in working with third parties. Just 44 percent have processes for evaluating third parties, according to the 2014 PwC U.S. State of Cyber-crime survey. Less than one-third include security provisions in contracts with external suppliers. “Companies sometimes don’t understand who their vendors are and what access to information they have,” says Carolyn Holcomb, partner and leader with PwC’s data protection and privacy practice.
New Rules in Place
The importance of managing these exposures continues to rise. Over the past eighteen months, numerous regulatory agencies have issued guidance regarding companies’ responsibilities for managing data across their relationships with third parties, notes Jonathan Dambrot, co-founder and chief executive officer with Prevalent Networks. “In a lot of cases, it used to be good enough to have contracts that said, essentially, ‘Someone has to do something.’”
That no longer flies. An October 2013 bulletin from the Office of the Comptroller of the Currency, for example, states: “The OCC expects banks to have risk-management processes that are commensurate with the level of risk and complexity of its third-party relationships.” The Consumer Financial Protection Bureau has issued similar warnings.
“Look at what data the vendors have. It’s possible a smaller business partner has more access to your data.”
Carolyn Holcomb, Partner, Data Protection & Privacy Practice, PwC
It’s not just financial institutions that need to worry about regulatory oversight of how data is shared in third-party relationships. In its guide for complying with the Children’s Online Privacy Protection Act, the Federal Trade Commission warned operators of commercial Websites and online services directed to children to “determine what the service providers’ or third parties’ data practices are for maintaining the confidentiality and security of the data,” before sharing children’s personal information with these companies.
Regulators in Europe are also focusing on how data is managed across business relationships. The Financial Conduct Authority in Britain published “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions.” It expects these firms to “appropriately manage the operational risk associated with its use of third parties.”
Driving regulators’ concerns about third parties’ abilities to safely manage data is the fact that they’ve become attractive targets for cyber-criminals. Often, these companies have valuable information or a pathway to it. “What makes service providers so compelling (to criminals) is that the attacks are more efficient,” Rosenberg says. A hacker who cracks one service provider’s network often can gain access to multiple accounts.
Another consideration is that third parties with even the most tangential relationship can create a vulnerability for hackers to exploit. According to a report by the New York Times, for example, hackers gained access to the network of a large oil company through the computer systems of a Chinese restaurant that the oil company’s employees commonly accessed to view its electronic menu.
Moreover, these organizations can be easier targets than their corporate clients, who often boast large, sophisticated security systems, experts say. Just as few criminals try to attack Fort Knox, few cyber-criminals directly target multinational retailers and other global firms directly, says Trey Ford, global security strategist with Rapid7, a provider of security data solutions. “They go to the soft edges.”
Of course, the organizations that collect and process sensitive data remain responsible for it, even if the information is subsequently transmitted to third parties. Securing it starts with recognizing its value, Rosenberg says. “There are markets for this sensitive information.”
Know Your Third Parties
Even once organizations pull together information on their third-party partners, too many view it with an eye on materiality. Business partners whose contracts with an organization are worth $1 million receive more attention than those with contracts worth $100,000. While categorizing vendors this way makes sense for many purposes, it may not be as relevant when assessing data security risks. “Look at what data the vendors have,” Holcomb says. “It’s possible a smaller business partner has more access to your data.”
Most organizations should use a broad definition of “service provider” when assessing potential security risks, Rosenberg says. For instance, a firm that does remote analysis of videos generated by the security cameras in an organization’s parking lot could present a data security risk, if the information sits on or is linked to the network that handles payment information.
This is enough for hackers, whose first goal is to breach the network. Once they’re in, most can jump from one server to another and gather the information they really want. “It’s like breaking into a house. Most people don’t have deadbolts on every room,” Rosenberg says. Like any robbers, cyber-criminals just need to find a point of entry to wreak havoc.
That’s why compliance professionals need to evaluate the security policies and procedures in place within their vendors’ systems. One tool some companies use is a SOC (Service Organization Control) 2 report, Holcomb says. SOC 2 is a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
INSIDERS VS. OUTSIDERS
In PwC’s Global State of Information Security 2015 survey, companies were asked to rank who was most to blame for cyber-security incidents in 2013 and 2014—internal or external sources?
Another is the SIG, or Standard Information Gathering, Questionnaire, Dambrot says. These questions are designed to obtain information about the service provider’s IT, privacy and data security controls. It was created by the Shared Assessments Program, an initiative of leading financial institutions, accounting firms, and service providers.
Along with identifying and categorizing the third parties with which their organizations work, compliance professionals need to understand the contracts that govern the relationships between them. As Holcomb asks, “What are the third parties required to do, and what does the organization have to do?”
Organizations also need a way to monitor or check service providers’ actions on an ongoing basis. For instance, if a service provider is required to conduct regular tests of its network, the organization needs some assurance they’re doing this. “Get the right to audit in the contract,” Dambrot says.
Rosenberg recommends requiring service providers to use two-factor authentication. In other words, anyone accessing the network must have at least two items from the following three categories: something he or she knows, such as a password; something he or she has, like a token; and something he or she is, such as a fingerprint. The combination, while not impenetrable, will hamper the bad guys.
Many companies include contract addendums containing specific security requirements that can be updated as needed, Dambrot says. This could be the place to include encryption requirements or a mandate that the vendor complete background checks on employees.
Compliance professionals and their colleagues also need to consider the steps they’ll take if it becomes clear a vendor’s risk profile exceeds a level the company is willing to assume, says Lillian Borsa, a partner in PwC’s U.S. performance GRC practice. “Ask yourself, ‘Are we in a position to exit this relationship?’”
Finally, compliance needs to help develop a response plan, Borsa says. If an incident occurs, what actions would the organization take? Who would be in charge? Who would manage communication, both internally and to customers, regulators, and others outside the organization?
Managing the risks of working with third parties required an ongoing commitment. On the upside, it can lead to benefits that go beyond compliance, such as a rationalization of the organization’s vendor base. “First and foremost you want to mitigate risk,” Borsa says. “But this can be a positive.”