What businesses need to know to evaluate partner cyber resilience
Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience.
Given the average number of tech tools, platforms and partnerships today, having a clear and consistent partner evaluation process is critical for the protection of customer data and in limiting overall risk of exposure to cyber attacks. It is not an area where a business can “cut corners” to save time or dollars if the partnership cost seems too good to pass up – the long-term risk is simply not worth the short-term gain.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) included security ratings or scorings as part of its cyber risk reduction initiative. This is significant as it showcases there’s a need for consistent industry measurement to give businesses an objective, quantifiable way of determining an entity’s cyber risk and the level of trust they may incorrectly give to their partners who handle their data. While severalagencies and government stakeholders are starting to use security ratings, this idea of a uniform scoring system is still a pretty novel concept that will continue to evolve.
In the meantime, here are four questions businesses should ask when determining a partner’s cyber resilience to reduce the possible risks that come with giving external parties access to sensitive data.
What are your current standards for protecting customer data?
Protecting customer data is vital and now regulated in certain geographies with the introduction and implementation of privacy laws like the GDPR and the CCPA. Non-compliance with either of these regulations may result in large fines that can pose a serious threat to business continuity depending on the size of the company and violation.
While the GDPR and the CCPA are the two of most well-known regulations, at least 25 U.S. states have data protection laws, with Virginia being the most recent to enact legislation.
Legislation aside, organizations must protect data and be able to recover it in the event of any loss. Not being able to recover data, albeit at the fault of a partner, can quickly propel an organization toward financial setbacks, damaged relationships and diminished reputation. When it comes to evaluating a partner, ask them to detail their backup strategy and policies. Regular infection simulations and backup procedure tests are crucial in making sure you are prepared for a real DEFCON scenario.
Do you have true end-to-end security?
Businesses must have endpoint security in place as cybercriminals are constantly developing new ways to attack networks, take advantage of employee trust and steal data. In traditional office building settings, employees were better protected within the corporate network. With so many workforces operating remotely, it is worth taking time to inquire about your partner’s endpoint protection to ensure you feel confident in their data security posture, regardless of remote work conditions and less-secure home networks.
Are your security policies consistent throughout departments and personnel?
A company should have consistent security procedures across all departments, but depending on the size and environment, security consistency can be a challenge. When evaluating a potential prospect, ensure they have a standard policy in place for each security measure.
A few examples of security policies that should be standardized across the business include policies for requiring firewall/VPN usage, setting access control that varies based on the employee and their permission needs, group policies to disable what employees are not using (like macros, scripts, PowerShell) so they are not abused by criminals, updating software in a timely manner and outlining an incident response plan in case defenses are breached.
In addition to standardization of security policies, a cyber resilient partner will take necessary measures to educate their staff about the latest cyber threats and institute security training and awareness programs across all levels of their organization. Security awareness training has been proven to help change risky employee behaviors, like clicking on links from unknown senders, which can lead to security compromises.
Do you perform security audits regularly?
A security audit includes penetration testing of internal and external systems, as well as a review of security policies and procedures. It’s a cooperative (rather than adversarial) exercise to learn about the security risks to systems and how to mitigate those risks. Partners should conduct security audits on at least an annual basis.
In partnership conversations, have an open discussion with the potential partner to find out if a breach were to occur, would your company be able to obtain access to their security audit logs. By having access to the logs, your company will have visibility into what exactly was accessed (or denied access) and when. These logs will be crucial to figuring out the scope of damage and providing accurate information to the data privacy governing entities like GDPR and CCPA that would need reports from you, in addition to crisis PR statements to customers about the breach.
Ensuring your contractor or partner is cyber resilient is of the utmost importance when it comes to protecting data, your customers, employees and business. Use the above checklist when evaluating partners or partnership renewals to confirm they have layers of defense in place and are taking measures to keep data secure and protected.