Five steps to deal with third-party security risks
This post was originally published on KCNext related to third-party risk management.
Networks were once the fences that protected businesses from external threats – a barrier only employees could access, fully controlled by the company.
The rise of telecommuting, virtual private networks and BYOD initiatives has changed it all. Businesses are increasingly reliant on third-party applications, from cloud storage providers to payroll systems, that have access to sensitive information. Many third parties use other third parties themselves, leaving companies with little control over who accesses their data.
Even with solid security practices, no company is immune to insecure protocols. Here’s how to face this challenge:
1. Establish a vendor management program. It should begin with an initial assessment that can be reviewed at regular intervals.
2. Rank vendors according to risk. Comprehensively catalog all third-party risks and rank them according to severity. A rules-based due diligence test will ensure a systematic approach. Also try leveraging existing vendor risk assessments, such as the Shared Assessments Program, to keep up-to-date with industry standards.
3. Ensure third-party apps employ proper protocols. With more apps hosted on the cloud, properly integrated security is imperative. The Cloud Security Alliance recently launched an open API group to standardize APIs, which should help to ensure core business systems communicate securely with other applications.
4. Practice endpoint security. Every computer is an endpoint, and each terminal must be responsible for its own security. Commercial cloud systems have significantly increased endpoint risk, and systems must be in place to combat this threat. Enforce a network-wide usage policy, and find an endpoint security product that offers strong real-world protection.
5. Keep current with third-party vulnerabilities. Ironically, some great third-party big data tools are available that can provide vulnerability intelligence. The National Vulnerability Database is the biggest and best one.