03 Nov Vendor Risk Management: When the Outsider Becomes the Insider Threat
Cybersecurity should already be one of your top priorities, regardless of whether you’re running a small credit union or an international bank. The safety of your most precious information — your clients’ information — is one of the most expensive building blocks of any company. Even worse, it’s slated to become even costlier as areas of growth in cybersecurity expand to cyber risk, cyber insurance, and IoT security.
Companies of the past might approach these problems by imposing firewalls or by hiring white-hat hackers. Although these methods may provide temporary peace of mind, they can’t stop what experts are calling an even greater risk: third-party vendors.
To investigate what many deem “the insider threat,”we spoke to Synoptek’s Information Security Program Manager, John Avery. John identified key oversights made by many financial institutions (FIs), and offered some solutions as to what you can do to keep your FI safe, even from those whom you may have given the “keys to the kingdom.”
What’s the Risk?
“It’s not uncommon for FIs to outsource pretty much every function,” Avery said. “Things you think FIs are managing themselves are often managed by a third party — everything from development to deployment, to ATMs and call centers to IT.”
Although third-party vendors — such as management and HR companies — are not inherently dangerous, they carry with them an immense risk, even under the noses of the companies who contracted them. A 2016 Bomgar study reported that, on average, 89 vendors access a company’s network every week; furthermore, the number of data breaches attributed to third-party vendors has increased by almost 25% since 2015. Recent high-profile breaches at Target and Home Depot are just the beginning, Avery said, and the consequences for FIs are likely more devastating due to the high number of third-party vendors they use.
“We’re talking about providing access to non-employees… to critical data,” he said. “How do we control what they do with that access? What’s the vendor’s risk mitigation strategy? FIs aren’t just on the hook to shore up their own environment, but they share responsibility for what these third parties are bringing to the table.”
The costs of investigating an internal breach add up quickly, even if you can’t identify the source. Although every situation is different, FIs are universally high-risk. As “critical infrastructure,” they are categorized among those in most danger of attack. Avery identified Health- care ($369 per record), Education ($260 per record), and FIs ($222 per record) as the “most expensive” data, due to their roles in fraud and identity theft. FIs, he noted, can easily get wrapped up in these breaches because they supply money on the back end.
Breaches may be costly, but to some the price of vetting third-party vendors is equally prohibitive. As a result, these companies often contract to the lowest bidder, resulting in risky vendors and opening them to attack.
Why Should FIs Perform Third-Party Due Diligence?
“Part of why they’re throwing so many resources at this is because if there’s a breach and you can validate you performed your due diligence, there may be some cost benefits to it,” he said. “On the other hand, if you’re asked, ‘why did you choose this vendor?’ and you say, ‘because it was the cheapest,’ you’ll be in hot water, be- cause you didn’t do your due diligence by validating that they had proper security controls in place.”
Avery suggested some further tips for practicing due diligence. “[Of third-party vendors] we ask, what are their policies? What sorts of vulnerability scans are they leveraging within their own environment, and how are they using those scans? What about penetration tests? What do they do with the information they find? How are they managing their own security?”
What can you do to Mitigate Risk?
“FIs are a top target for cyber-attacks, they need to understand that they need a dedicated team around the clock to monitor and investigate anomalous activity,”Avery said. “Most FIs don’t have the resources to do that — which is why it makes sense to partner with a firm like, Synoptek, to manage their security for them.”When gone unchecked, third-party vendors can easily become an inside threat, and wreak costly havoc on a company. And perhaps more importantly, it’s the responsibility of the contracting company — those who “give the key”— to properly vet their vendors.