If you think your systems are safe, think again. Chances are they’ve already been breached, and it’s one of your key business partners that’s left open the door.
Getting smart about the risks means knowing your partners well. These important safeguards will help you protect your business – and your relationships.
Cybersecurity breaches are continually rising around the world, it seems, no matter how much we invest. But what if the weak link into our systems is through one of our key business partners? And what can we do to protect ourselves?Criminals look for the weakest link
Nearly every company is at risk. A recent UK Government survey of 664 companies1 found that 90% of large organizations and 74% of small businesses had suffered a security breach - up from 81% and 60% respectively, a year before.
To further complicate matters, it can be many months before you realize a breach has occurred. According to the 2015 Ponemon Cost of Data Breach Study,2 it takes an average of 256 days to identify a malicious attack.
Companies are responding by investing in systems that better lock down their own information. However, in today’s global business environment, most companies are collaborating with a broad range of third parties – from contractors to manufacturers, vendors, consultants and others. These “insiders” may have security vulnerabilities of their own that could allow bad actors access to seize confidential information or compromise networks.
Case in point: hackers tapped into the Target corporate network through a third-party heating and ventilation vendor who had access to the corporate network.3 An article in the Financial Times states: “Financial criminals will typically look for the weakest link – the most efficient, easiest way into a system. And, the majority of the time, suppliers are the easiest way in.”4
Review practices to protect confidential assets
Industry standards and guidance are valuable for helping organizations put robust practices in place to address cybersecurity risks posed by third parties. However, if the protection of confidential information has not been included among the objectives, an organization might comply formally with applicable information security standards, but still have inadequate business processes in place to protect a company’s confidential assets.
Here are two you should be reviewing:
- International standards including ISO 270015 and industry standards such as COBIT6 provide frameworks and methodologies for assessing and addressing many potential cybersecurity problems.
- The US National Institute of Standards and Technology (NIST)7 has released the first version of its own Framework for Improving Critical Infrastructure Cybersecurity, a set of voluntary industry standards and practices provides guidance to help organizations manage cybersecurity risks.
NIST recognizes it is vital to include the supply chain in any such assessment of a company’s IT risks, and not “leave the weakest links susceptible to penetration and disruption.”8 The ISO standard also notes: “the establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization.”9
Ask tough questions to ensure confidential information is not at risk
Does your company and your third parties have effective information security systems in place? The following questions address the major components of an effective program and can also be a starting point in talking with third parties about the measures they should have in place.
- Are there corporate policies, procedures and records specific to protecting confidential information?
- Is there a cross-functional team working to address compliance?
- Is the protection of confidential information included in risk assessment and compliance programs? How is this enforced?
- What due diligence measures do third parties use with their subcontractors?
- How robust are physical and electronic security systems for protecting confidential information?
- Is there adequate employee training on how to keep information confidential and avoid being prey to a cyber-attack? Is this in writing?
- Are written protocols monitored to ensure compliance?
- When there is a problem with compliance, are there business processes in place to fix the problem and improve practices?
Webinar offers practical advice
More practical advice is available in an IACCM Ask the Expert webinar10
During the presentation, host Allen Dixon, from CREATe.org, reviews the following issues:
- cybersecurity risks and third party vulnerabilities;
- elements of an effective program;
- third party contracts that address cybersecurity (new and updates); and
- ongoing monitoring for the protection of business critical information and cybersecurity capabilities.
Integrating business processes to protect confidential information into the full contract process – from pre-contract risk assessments and due diligence to contract language and ongoing monitoring – will help to ensure that third party partners take information security seriously and are taking the necessary steps to protect confidential information and mitigate the risks of cyber threats.
- Cyber alert – Q2 2015 – PWC’s 2015 information security breaches survey: One third of businesses fail to assess cyber risk
- 2015 IBM-Ponemon Cost of Data Breach Study
- Target Hackers Broke in Via HVAC Company Feb 2014
- Hackers find suppliers are an easy way to target companies – October 2014, Financial Times (subscription required)
- ISO 27001:ed-2:v1:en available via ISO online browsing platform
- COBIT 5 Framework: Risk Framework for Management of IT related business risks
- NIST - Cybersecurity Framework
- NIST Roadmap for Improving Critical Infrastructure Cybersecurity, February 2014
- ISO/IEC 27001:2013(en) Information technology — Security techniques — Information security management systems — Requirements, available via ISO online browsing platform
- IACCM webinar Cyber thefts are on the rise. What can you do to protect your company from losing critical business information when working with third parties?
ABOUT THE AUTHOR
Pamela Passman, President and CEO, Center for Responsible Enterprise And Trade (CREATe.org) non-governmental organization (NGO) helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption. Prior to founding CREATe in October 2011, Passman was the Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory Affairs, Microsoft Corporation.
Contact: Anne Walker, CREATe.org, awalker@CREATe.org