How to Protect Your Data from Third-Party Breaches
The December 2013 Target data breach that compromised the credit card information of 40 million customers was the first of many wake-up calls to organizations, bringing home the damage a company can sustain when a partner’s systems are hacked. As the whole world now knows, the HVAC supplier had access to more of Target’s systems than was needed or intended, and hackers infiltrated Target’s network through the partner’s own vulnerable solution.
Sadly, Target is not the lone case. More recently, 15,000 Boston Medical Center patients’ personal information and the payment card details of 868,000 Good will customers were compromised through data breaches at vendor companies with access to the organizations’ systems. In fact, a recent PwC study found the biggest challenge to security today is from internal sources – employees and partners – not external threats.
Vendors often need remote access to maintain your internal systems, but they may not be as stringent about security processes as your chief security officer, CIO, or IT team. For example, partners’ systems may use software that a developer no longer supports, and is hence, vulnerable. Even worse, they may use the same administrative passwords across every customers’ systems.
All this translates into the need for a far more comprehensive information security risk management strategy — one that not only oversees your data, but also third-party access rights, the robustness of network defenses, and more.
Here are some best practices to help protect your network from third-party data breaches:
Be aware of what your vendors can remotely access. Understand what kind of data and which systems your vendors can access, and the levels of access they enjoy. Can they retrieve any critical data they do not need for their work? Or do they have access only to the resources necessary to perform their jobs? This is of particular importance when you work with infrastructure management partners, for instance, because these have privileged access that could pose a significant threat if not properly secured. Provide access to data and systems only on a need to know basis.
Standardize remote access methodologies. The proliferation of available remote access methodologies (WebEx, web conferencing tools, and virtual private networks, for example) makes it difficult to monitor and manage access controls. Simplify this and better manage connections made to your network by defining the specific methodologies you will allow.
Use stronger authentication. Insist that vendors who must access your environment use two-factor authentication and institute well-defined access control processes.
Segment your network behind firewalls. It is advisable to allow vendors access only to a specific segment of the network, with this segment being firewalled from others. Network segmentation can limit the damage from a third-party data breach. To make this even more effective, provide dedicated systems for vendors, so they do not use their systems to connect to your network.
Monitor network defenses frequently. Frequently audit access controls and security policies to identify potential security gaps that can be plugged before a breach occurs. Real-time analyses allow your IT department to see what is being accessed by whom and why, as your vendors connect to your network. This helps proactively identify any problematic activity.
Hold vendors to the same security standards you hold yourself. However stringent your organization’s security system, all is nullified if your vendors are not equally particular. Define your security requirements upfront when signing on a new vendor. Review their security processes and access control policies, and check if they conduct regular penetration testing on their systems and network. Insist they adhere to the same standards as your organization in the areas of data protection, identity management, authentication, and other security measures.
Proactively plan for third-party breaches. You will (or should) already have a robust incident response and disaster recovery plan for attacks on your own systems. Take this a step further by planning a defense against third-party attacks as well. Ask your vendors to demonstrate how they protect your data, their incident response plan, and how they will deal with breaches that can affect your data.
Periodically verify your vendor’s security posture. Security assurance is not a one-time task but a continuous process. Conduct periodic audits of your vendors to make sure that they follow best practices and have the necessary technical controls in place. The aim should not be to review every vendor you engage, but to conduct a thorough audit with greater frequency for targeted, high-risk vendors.
In this, as in other aspects of your relationship with your vendors, work with partners to identify security gaps and protect against breaches before they occur. Industry standards are gradually evolving to this end as well. The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) mandates that organizations pay closer attention to partners’ security practices. This will probably provide the much-needed nudge to get businesses to think beyond only their own security posture.