I’ve worked with all sorts of organizations in healthcare and beyond and have come to one conclusions. Whether in rural hospitals or clinics with HIPAA compliance pressures. Be it the many companies that depend on credit card processing (PCI compliance). Or even local credit unions that have faced stricter NCUA security regulations in recent years.
All of these organizations are the same in many respects. The common denominator to security vulnerabilities often befall non-compliant and unaware 3rd party providers.
I have reviewed so many networks in the past 10 years—an uncountable number—and can confidently reaffirm that 3rd party vendors are often the reason I end up sending my team in to clean up networks from ransomware attacks, help address issues with failed security compliance audits. And even helping leadership teams understand and evaluate the risks they take on when simply handing the keys to their kingdoms over to vendors that they haven’t adequately vetted.
The running joke among many in the office is that we essentially have become risk assessors for third party vendors. Since many of our clients (and prospective clients) don’t have the specific tools to assess whether vendors are keeping good security hygiene in house, we are the ones that end up making recommendations, reviewing and auditing their networks to either give a green light or a no go on a partnership.
And let me tell you the truth. Even though we might be able to bring on a couple vendors a year as clients, I hate when I have to give a red light to partnerships.
But the sad truth?
If I didn’t make recommendations from a security standpoint—especially to clients highly dependent on keeping compliant and concerned about their sensitive data (be it for their clients, staff or business)—they would be risking too much for comfort.
And don’t get me wrong. Not all vendors are neglectful. And even the ones that might have some terrible vulnerabilities that very well risk their own client sensitive information, for the most part no one wants a cyberattack or a data breach. And in many cases, these vendors clean up issues relatively quickly so we can approve partnerships.
But if you don’t get anything from this rant but one thing. I hope that one morsel is: keep a close eye on your vendors.
In my experience, too many organizations—credit unions, healthcare organizations, and businesses of all types—fail to pay close enough attention to their third parties. And in many cases, organizations (probably like yours) give too much access to vendors—too high permissions or access to parts of the network they really shouldn’t need access to for the job they are doing.
The result of this?
Suddenly, vendors become more than just partners. They become some of the biggest risks and liabilities your organization may face in a year or even a decade. In fact, 63% of cyberattacks in one way or another can be traced back to vulnerabilities caused by a vendor. Either in leaving your network exposed and under-protected to vulnerabilities or leaving their own networks unprotected.
Let me repeat that statistic one more time. 63% of cyberattacks. 63% caused by vendors not doing their due diligence in keeping your network protected. 63% opening doors and loop holes in your network. 63% more likely for data to be breached. 63% more likely to have to report an incident. And 63% more likely that you’ll face financial and social repercussions for violating patient, staff, or client trust.
And as breaches get more frequent, the likelihood your vendor risks your data security and integrity goes up immensely. In fact, some cybercrime is targeting specific vendors simply because of their track records with their client data security.
In most cases, your vendor ends up being your weakest link.
How can you make sure you’re not opening the door to vendor-related cyberattacks?
Make sure you understand and manage your risks—most organizations that leave their doors open to vendor-related attacks fail to ever evaluate risks on their network. They rarely prioritize security initiatives and understand where their threats lie. They certainly do not vet their technology vendors for security best practices. Instead of making an emotional decision on vendor selection, make sure you have clear metrics that include security guidelines that you expect every vendor to follow.
Have thorough vendor documentation—without adequate documentation on vendor policies and procedures that address security concerns (specifically related to your industry), you’re trusting your vendors to play by your rules with no consequences if they don’t. Make sure you include a complete security analysis of each of your vendors BEFORE a contract is signed (note: we are more than happy to assist in vendor review if you are in the process of finding a compliant vendor organization). Unless to get a third party risk assessment of vendors you wish to partner with, you will have insufficient understanding of whether they are or will comply with your security requirements.
Assess ALL of your vendors—it doesn’t matter whether the vendor is large or small. Even if they have security gurus on their team, make sure you know what specifically they are doing to keep your data safe. In some cases, the big guys are more often in violation of compliance and security standards.
Make the vendor match the criteria—not vice versa! Don’t try to fit a round peg into a square hole. If a vendor doesn’t meet your criteria from the outset, likelihood they won’t change (at least overnight). If you suspect that you’re jeopardizing your security by signing up with a vendor, consider walking away.
One last point
Make this list a starting point, but don’t rely on what I’ve gone through as a solution to your vendor security. My hope is that you use these suggestions to start improving your vendor relationships and reaffirming your network security. But if you still want additional advice to make sure your security is headed in the right direction, ask us about our IT security risk assessment.
