Blog

<< Return to Blog List

Five steps to deal with third-party security risks

by Kaitlin Motley | Nov 16, 2015

This post is by guest author Brad Thies. Brad is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. See the end of the post for a full bio.

Networks were once the fences that protected businesses from external threats - a barrier only employees could access, fully controlled by the company.

The rise of telecommuting, virtual private networks and BYOD initiatives has changed it all. Businesses are increasingly reliant on third-party applications, from cloud storage providers to payroll systems, that have access to sensitive information. Many third parties use other third parties themselves, leaving companies with little control over who accesses their data.

Bad outsourcing decisions are responsible for 63 percent of data breaches, and 53 percent of organizations breached are vulnerable to another attack because of third-party access. 

Even with solid security practices, no company is immune to insecure protocols. Here's how to face this challenge:


1. Establish a vendor management program. It should begin with an initial assessment that can be reviewed at regular intervals. 

2. Rank vendors according to risk. Comprehensively catalog all third-party risks and rank them according to severity. A rules-based due diligence test will ensure a systematic approach. Also try leveraging existing vendor risk assessments, such as the Shared Assessments Program, to keep up-to-date with industry standards.

3. Ensure third-party apps employ proper protocols. With more apps hosted on the cloud, properly integrated security is imperative. The Cloud Security Alliance recently launched an open API group to standardize APIs, which should help to ensure core business systems communicate securely with other applications.

4. Practice endpoint security. Every computer is an endpoint, and each terminal must be responsible for its own security. Commercial cloud systems have significantly increased endpoint risk, and systems must be in place to combat this threat. Enforce a network-wide usage policy, and find an endpoint security product that offers strong real-world protection.

5. Keep current with third-party vulnerabilities. Ironically, some great third-party big data tools are available that can provide vulnerability intelligence. The National Vulnerability Database is the biggest and best one.


Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. He specializes in helping clients assess, design, and implement processes and controls to meet customer, regulatory, and compliance requirements. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry.

 

Leave a comment

KC by the Numbers

News Releases

Blog

KC News