This blog was created from a recent episode of Device42’s podcast, The Hitchhikers Guide to IT. You can find the latest episodes here.
Vendors offer expertise, capabilities, and tools that enterprises need. Yet, they can also create unwanted cybersecurity risks. More than half (59%) of respondents to a Ponemon Institute/Mastercard RiskRecon survey have experienced a third-party breach, with 54% saying it occurred within the past 12 months.
On a recent episode of The Hitchhiker’s Guide to IT, Host Michelle Dawn Mooney was joined by Thomas “T.J.” Johnson to discuss vendor management and cybersecurity in an era of growing risks and threats. Johnson is the National Leader of Cybersecurity for BDO Digital. He has been in security leadership for more than 20 years and is responsible for the teams that deliver security solutions to BDO customers.
Johnson began his career as a network engineer at a bank, protecting firewalls. He then moved into IT governance and compliance, a role which evolved into cyber security, as marketplace digital risks and threats increased.
Johnson mentioned that vendor management is becoming even more important as enterprises go cloud-first. Companies are working with multiple vendors to migrate workloads to the cloud. Nearly all (90%) of all enterprises have a multi-cloud strategy, selecting different vendors to provide key capabilities and avoid the business continuity risk of sole-sourcing.
With the heavy marketing around cloud security, some leaders may assume that their cloud partners, such as hyperscalers, colocation firms, and managed service providers, assume all responsibility for these risks. Not so, said Johnson.
“Some of the misnomers of using a vendor are that, hey, we can like, forklift these workloads and put them in the cloud. We don’t have to worry about it anymore. We just transferred risk. And while that might be true in some cases, there are still some aspects that we need to kind of consider when we’re working with vendors,” said Johnson.
Hyperscalers and their clients have a shared responsibility for protecting cloud infrastructure, applications, and data. Leading cloud services providers will provide identity and access management (IAM), threat detection, network and application protection, data protection, and incident response. They’ll also provide compliant services that enable customers to meet leading industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).
However, enterprises are ultimately responsible for the security and health of their devices, applications, and data. That’s why many have adopted a layered approach to security, with controls throughout the environment. They also use zero-trust models, which means authenticating every connection, continuously to identify behavioral anomalies that could indicate unauthorized access attempts. Finally, many enterprises are adopting cloud-native tools, such as public cloud data security platforms, to discover, monitor, protect, and remediate data.
The Importance of Risk Assessments
Organizations often miss out on an opportunity to gain a more holistic view of risks by documenting their critical vendors and completing risk assessments. This process should be completed before onboarding a new vendor and refreshed regularly based on the vendor’s risk profile.
As part of this process, IT teams will assess their prospective or current partners’ security protocols and processes, what data and applications they will be managing, and whether any other firms will be supporting this work. They can then use these risk ratings to determine whether to engage with a vendor or require them to remediate risks before working with them. Enterprises can also improve business continuity by working with multiple providers or codifying a plan for moving to another provider if service-level agreements aren’t met.
“Who’s got our data? What are they doing with it? What services are we using? And then once we have that down, I think we really need to risk rate our bidders. Who’s doing the most critical things for us? And that kind of really dovetails into the conversation. …. What happens if they’re not able to meet their service level? What happens if they have an outage? Are we going to be able to operate properly?” said Johnson.
The Growing Risk Posed by Third and Fourth Parties
While many firms feel that they understand third-party risk, this faith may be misplaced. Gartner finds that more than 80% of legal and compliance leaders identified key third-party risks after initial onboarding and due diligence, and they have classified 2.5X more providers as high risk as a result. In addition, most (73%) of organizations’ work to assess risks is focused on due diligence and recertification and only 27% to reviewing new risks that may emerge during the course of the relationship.
Even more poorly understood are the risks that fourth parties or sub-vendors pose. Cloud service providers have myriad parties that help them maintain and operate their business, some of which may have access to customer data and systems. Implementing zero-trust programs, enforcing least-privilege granted, and reviewing security data for anomalies can help enterprises reduce these unknown risks.
Understanding Cloud Security Responsibilities
After choosing vendors, risk mitigation work continues. Teams will review contracts in detail, create matrices of roles and responsibilities, and coordinate disaster response plans with their partners.
Cloud service providers offer many different capabilities, but not all are enabled by default, Johnson warned. As a result, they may need to be configured properly to enable new security features that reduce risks. As an example, ensuring PCI compliance requires that both IT service providers and their customers complete key actions, Johnson said.
Other examples include multi-factor authentication (MFA) and data loss prevention. Microsoft Office 365 and Microsoft 365 seek to enforce MFA, but it has to be enabled by each user. DLP in cloud services like Office 365 also has to be configured, and it’s not an easy process to do so, said Johnson.
In addition, enterprises need to have a plan for what they will do with security and compliance data. Office 365 enables organizations to manage and monitor user attempts to send out sensitive data, such as content with social security or credit card numbers. But enterprise IT teams need to determine whether they will just report these attempts, block them, or enable encrypted sharing of this data with other staff or partners.
IT teams can set up vendor relationships for success by reviewing contracts in depth, configuring services appropriately, and ensuring configurations are consistent across providers. As an example, firms may decentralize identity and access management across clouds, when using a centralized database or third-party tool would be a better choice.
“I come across a lot of organizations that continue to have that a little bit separated. You’ve got credentials for AWS. You have credentials for Azure. And then some people even have GCP with some workloads there, whether it be Gmail or some of the other G products,” said Johnson.
By using these strategies, enterprises can improve their vendor risk management practices. They’ll reduce the risk of disabling outages, data breaches, or other issues occuring that could harm performance and create customer issues.