Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Addressing the Vendor Threat
Recent, high-profile breaches underscore that service providers expand enterprises’ attack surface. It is time to address the vendor threat.
4 Min Read
jvphoto via Alamy Stock
More than a decade ago, the Target breach underscored the critical need for more robust vendor security standards. Today, these concerns have only intensified. As organizations increasingly rely on third-party services and integrate more external systems into their networks, the potential entry points for cyber threats are multiplying the vulnerabilities that demand our attention.
Cybercriminals are growing bolder, more overt in their demands, and faster to monetize opportunities they uncover. Attacks are increasingly nuanced and sophisticated, often with hackers infiltrating networks, keeping a low profile, and patiently gaining intelligence on how organizations operate to create targeted exploits. Moreover, they are adapting to an increasingly target-rich environment, where the extensive interconnectivity of external vendors and service providers offers ample intrusion opportunities.
Therefore, it is not surprising that the service providers multiple organizations rely on are often targets. The reason is simple: Why attack one enterprise when a successful breach of a vendor can open the door to many?
Recent, high-profile attacks reflect this reality. In 2024, cyberattacks had historic consequences within the automotive, banking, healthcare, pharmaceutical and utility industries. It is estimated that a third of Americans’ personal information was compromised in the Change Healthcare breach alone.
This dynamic, where vendors’ systems expand the attack surface and present cybercriminals with more potential entry points, isn’t going away any time soon. Perhaps most importantly, in most cases, organizations are often targeted not because of who they are, but rather what they are not doing to safeguard their assets.
Addressing what you are not doing begins with assessing the fundamentals for vendor engagement and risk mitigation. Some of the many things to consider include:
The cybersecurity function: In most organizations, the CEO is responsible for strategic direction and overall culture, and the CFO is responsible for fiscal viability and required processes. In turn, the CIO and IT team provide technological assets for both to be successful. However, security is notably absent. A more holistic approach is to have a dedicated CISO who looks at risk not just through a technological lens, but as an endeavor that directly serves the CEO, CFO and CIO. In such organizations the CISO helps vet all vendors and assists the CEO with understanding how current strategy and culture create environments conducive to attack. They also support the CFO in understanding the security risks associated with business processes and work with the CIO to assess the risks inherent in the different technologies used internally and with vendors.
The vetting of vendors: The initial vetting of vendors, and regular risk assessments that should occur thereafter, should follow a deliberate and detailed process. On the most basic level this includes determining if the service provider possesses essential industry or process-specific certifications like those associated with HIPAA, GDPR, PCI DSS, CMMC and ISO 27001. Other important questions include whether the vendor was created through significant M&A activity, which often leads to disparate systems prone to vulnerabilities. Importantly, have they experienced breaches in the past, and if so, how did they react? This information is not always readily available publicly but can often be gleaned from others’ experiences.
The onboarding of new vendors: Many recent breaches stem from compromises in vendors’ systems onboarded by operational teams, not security or IT. No operational professional, whether they’re the head of accounting or the head of human resources, should oversee the security of a vendor’s system alone. Security is a distinct profession and career path that brings with it unique experiences and technical knowledge. The security lead or team should always be included when vetting service providers’ systems and before the establishment of any connections with the enterprise.
Vendor management: The right to audit security processes and preparedness should be written into all vendor contracts. Both minimum security baseline expectations and service level agreements should also be carefully considered. The security team, or security lead, should also maintain a strong dialogue with service providers about their systems. The time to begin a dialogue is not during a crisis.
The segmentation of systems: The segmentation of systems, for example eliminating connections between core clinical systems and operational systems, or isolating vulnerable legacy systems such as aging SCADA and industrial control systems, can dramatically minimize the infiltration radius of a cyberattack and is arguably the single most important step security leaders can take to both secure the business and maintain resiliency. Organizations should also consider if it makes sense to bring some crucially important business and IT functions back on-premises to decrease the size of the attack surface, or alternatively into an industry-specific, single-tenant cloud for greater resiliency.
Today’s service providers offer enterprises the capabilities they may find difficult to develop on their own and, in many cases, with significant cost savings over in-house approaches. But as recent cyberattacks show, these benefits must be weighed against the risks that arise when integrations result in additional exposure to threats. By first addressing the fundamentals and the costs and benefits that result, IT leaders can effectively manage what will always be a delicate balancing act.
About the Author
You May Also Like
More Insights
