July 2019 – CEO Security Intelligence Brief

 

Third Parties are either directly or indirectly responsible for 63% of all cyber attacks. 

The costliest threats to small and medium businesses involve data leaving the organization via third-party providers. Cybersecurity incidents involving I.T. infrastructure services that hosted under a third-party contract costs companies on average $118,000, and third-party cloud incidents cost companies 89,000 dollars last year, while suppliers sharing company data rang up another bill of $83,000.

Organizations looking to improve their digital strategies are choosing to work with third parties to store their data or change the access to their infrastructure to increase their security, without thoroughly vetting the company and understanding their level of risk or their responsibility when it comes to the data they entrust and cybercriminals are taking advantage.

Hackers are quick to recognize the poorly protected networks of the small/medium business and the ease with which they grant unlimited access to their enterprise infrastructure to third-party providers as the bushels of low hanging fruit ready for harvest.

Breaches are Costly in the Cloud

The growth of cloud services has sparked new security issues, with companies witnessing a lack of visibility and blind spots created by the infinite numbers of security tools, solutions, and platforms creating barriers for security administrators and fertile environments for cybercriminals.

People are often the weak link in lackluster cloud security and the problems related to cloud service configurations that go on to result in accidental data exposure.  One big security issue is the use of multi-site passwords, which refers to the use of the same password across platforms including on cloud-based systems.  If breached, that password acts as a master key to your corporate network for cybercriminals.

How many cloud services do you utilize?

Every third-party vendor you use becomes a part of your digital ecosystem and increases your risk of a cyber incident. 

Here is a question for you – How many third parties have access to business sensitive or confidential information?

What number did you say?

Well, it may come as a massive surprise to you, but the average number of third parties is 471.  You read that right, and that is a lot of access to business sensitive and confidential information. Most unfortunately for them is that most companies fail to keep an up-to-date- inventory of what third parties they allow to access their sensitive data.

The only way to mitigate some of the risks is to establish a system capable of monitoring the security of each of the third-parties that have access to your data.  After all, it is you, the CEO, that is responsible for all the sensitive data that you store. 

Are you next?  Can you afford a third-party data breach?

When it comes to access by your third-party vendors, Do you know how secure your data is? 

If you experienced a breach or ransomware attack, are you aware of the consequences?

If you are an SMB, you have a better than twenty-five percent chance of being your company becoming a data breach victim within the next 24 months.  Is that a gamble your willing to take?

Is it the dollar amount that concerns you?  It should, but that is a minor part of the equation compared to the more significant component which is lost business which can account for 37% of the total cost. You also face the problem of acquiring new customers.  According to Credit Union Times, sixty-nine percent of consumers feel businesses ‘don’t take customer data security very seriously and 70% of them said they would stop doing business with a company following a data breach. 

Then you also have to consider harm to reputation, brand, or marketplace image of your company.  According to the IBM-Ponemon Institute, (https://www.ibm.com/security/data-breach) 65% of companies surveyed stated that a data breach has adversely affected their company image.

Organizations who allow unvetted third-parties to access their critical systems are also 63% more likely to experience a security breach as compared to those that don’t allow such access.  If you are going to use third-party services, be sure that you secure and limit their access so you protect your company from the various regulatory risks which can be financial, but also reputational.

So when you think that the price is too high and you cannot afford it — Consider all the costs you will incur when you get attacked.

Cost is probably the biggest stumbling block that small and medium-sized businesses (SMBs) face when considering the robustness of their cybersecurity system. 

Although they logically understand the need to secure their systems and data, often when presented with the type of solution warranted by their type of business operation or regulatory requirements, the costs come as a shock. Many mistakenly believe that they don’t have enough to protect or that they are not a big enough target to require that level of investment for security. 

What me…worry…Nah

What businesses fail to understand is that they are the most attractive targets for cybercriminals who know they do not have comprehensive cybersecurity defenses. Many small companies supply large companies with products or services, making their lack of security an open door into their primary target, the larger organization.

The remediation costs after a cyber attack often are so high that the business may be forced to their shutter their doors.  According to the Ponemon Institute (https://www.ibm.com/security/data-breach), data breaches rack up costs of over 2 million divided between cleanup and business disruption. It’s vital for CEOs to understand that the $2.2 million figure is an average figure. Your company’s remediation costs could be higher, mainly if you do business in a highly regulated industry, such as healthcare or finance.

Small businesses face exorbitantly high cyber attack costs.

It is not only the direct remediation that can include repairs to network systems and hardware but also an entire cadre of indirect costs that are related to restoration.

What are some of these indirect costs?

  • Fines and Penalties by Regulatory agencies for non-compliance
  • Legal actions brought by customers, suppliers, vendors, or business partners
  • Increased Insurance premiums
  • Increased Payment Processing Fees if the breach resulting in customer chargebacks on their payment cards
  • Credit Monitoring, Incentives, and Refunds to Customers affected by the breach.
  • Lost business revenue and sales opportunities

What happens if during remediation you have to close temporarily, even though no money is coming in, operational costs still must be paid, including rent, utilities, insurance, and payroll. That is why, according to the U.S. National Cyber Security Alliance estimate, that within six months of suffering a cyber attack, 60 percent of small businesses shut their doors.

A full proactive cybersecurity stack can cost a small business less than the unloaded annual cost of just one clerical employee.

The risks are dire. It’s not cybersecurity that SMBs cannot afford; it’s cyber attack remediation costs.

Let me give you a few simple steps you can take to ensure the safety of your data.

Step One – Evaluate each of your vendors:  Having just one-third party that does not pay attention to their security could allow an enterprising cybercriminal into your network.  Remember that selecting the vendor providing the service is just as important as the service or product itself.  Next, determine the particular data required by the service and control that access to that data after you confirm that you can give them access without violating your established cybersecurity access control policies. Finally, assure that that vendor maintains robust security procedures backed by security policies that comply with both your regulatory and best practices.

Step Two – Enforce robust reporting and auditing:  Having visibility into your vendors’ actions, ability to conduct regular security audits and having access to their in-depth report logs are mandatory. It is crucial that you be able to monitor,  track, and follow the “who/what/when/where” of every individual accessing your network system or the data it holds. Only with this information will you be able to detect vulnerabilities and weaknesses and be able to address them rapidly.

Step Three – Ensure robust controls: Thoroughly analyzing your vendors’ security protocols, can assure they are meeting your company’s security requirements. The more definitive your control over access to data to each vendor the better the likelihood that your sensitive data is will remain secure, minimizing the chances of exposure of your data during a to third party breach.

The Importance of Vendor Contracts, Monitoring and Documentation

A vendor’s error is your error. Although you can outsource a business function, you cannot outsource the responsibility for any mishaps.

Improper third-party vendor arrangements can: 

    • Fail to secure data
    • Damage marketing
    • Increase debt collection
    • Breach customer trust

Companies are paying a steep price for vendor mistakes, especially those that harm customers.  These result, as they result in enforcement actions, hefty fines, and loss of business.

The first line of defense comes from business department heads, while the second and third lines are carried out by compliance and auditing teams.

It is not the job of Line employees and managers in charge of Sales and marketing, Human Relations, Operations, Accounting, or other parts of the business to have the expertise in negotiating the complex vendor contracts or their ongoing relationships. In this era of regulatory compliance and sophisticated attacks, it is impossible for them to learn as they go.

It can lead to a reputational risk to the institution and ultimately jeopardizes the careers of those executives deemed responsible.

Step 1: Organize Contracts

It is important you know every vendor under contract in your area of responsibility. 

That requires understanding the:

    • Service-level agreements
    • Contract terms
    • Fees and compensation arrangements
    • Provisions for renewals and cancellation

To manage contracts, you have to know they exist.  Having all contracts located in a single location can save you time and effort. 

Step 2: Don’t be an island in managing vendor relationships.

Third-Party oversight involves the company’s risk management, compliance, legal and audit teams when selecting vendors, conducting due diligence, and negotiating contracts.

Frustration runs deep when executives are kept in the dark about contracts to deliver services, especially when there is a failure to advise departments that have valuable perspective about the processes. 

Step 3: Kick the tires

Require on-site vendor inspection visits for those that provide critical services. 

Regulators want companies to document their process for monitoring their vendors, including what questions they ask and the checklists used during their visits.

Before visiting a vendor, establish a clear agenda for a visit and share it with them.  Once on-site, use your time judiciously.

Step 4: Acknowledge different viewpoints within a company

To facilitate honest communication, you must get perspectives from involved parties. 

Risk is only a piece of the puzzle for line managers who are often more preoccupied with business operations and achieving marketing and sales goals.

The job of auditors and compliance officers is to concentrate on risk and governance vs. day to day operations.

Managing third-party relationships and risks can be overwhelming for executives whose focus is primarily on successful business operations. It requires focus, planning, and support from top management, to provide the oversight needed to ensure that vendor practices aligned with regulatory expectations.

Step 5: Security – Its all in the Specifics

    • Require the appropriate clearance and access for the project and vendor representatives. 
    • Prevent other vendor departments from physical or electronic access to sensitive corporate data.
    • Prevent any vendors from bringing devices capable for copying data off computers or other confidential data (i.e., pens, hard drives, smartphones, tablets, USB keys or drives, or cameras)  
    • Require vendors to have service-level agreements in place that cover security requirements and conditions for vendor staff. 
    • Establish policy and procedures that cover any loss of intellectual property, security information, or service slowdowns that result from vendor turnover. 
    • Include provisions in contracts addressing what happens when critical members of the team depart.

Step 6: The Danger of Price Only Negotiations

If you want to start your vendor relationship on a wrong foot — negotiate on price. 

Negotiating on price and price alone will begin your relationship with a resentful vendor who will pinch pennies at your expense. Executives and front line management who negotiate well-rounded contracts end up paying less in the long run. 

It is critical for any contract negotiation that the company executive conduct an internal audit of the processes requirements and document in terms of business management tasks, processes, and values.  Additionally, the executive will have the most critical information required for a successful contract negation: knowing precisely, what functions you want to outsource.  With this information, they will able to evaluate and decide on the appropriate third party vendor.  An undefined scope of work to be performed by the vendor and the value of that work as determined by the business, is often the primary sticking point in any contract negotiation.

Step 7: Vendor Liability

A good contract also spells out who’s financially responsible for the risks involved in offshore outsourcing whether those risks come from: 

    • Turnover
    • Acts of God
    • War
    • Hackers, etc. 

A good indicator of the quality and reliability of the service vendor is how much financial responsibility they are willing to contractually accept.