Practical Security Strategies to Protect Your Organization from Third-Party Vendor Cyber Threats

 One of the internet’s greatest strengths in business, the ability to share information internally and externally, has turned into one of its biggest liabilities as cybercriminals around the globe relentlessly attack security vulnerabilities of third-party vendor networks.

The severity of vendor assaults has become particularly alarming in the healthcare industry. Last year, nine of the 10 largest data breaches were the result of vendor networks being hacked, according to research by trade publication SC Media. The largest breach occurred at OneTouchPoint, a printing and mailing company that works with health insurers and providers, where hackers obtained information on 4.11 million people at more than 30 health plans.

The healthcare industry is hardly alone when it comes to the ever-increasing cyber attacks on third-party vendors by adversarial nation-states, organized crime gangs and terrorists. In today’s global economy, more organizations than ever before are outsourcing some part of their operations, including network security. It is not unusual for a business to partner with multiple security vendors who have built various technologies to solve specific problems, like proof of identity or access management, for example. At first glance, this might look like a sensible approach. If there is a potential hole in your organization, why not partner with an expert who has built the tech to plug it?

The problem is that these technologies are rarely properly implemented on their own and almost never properly integrated with each other to create a cohesive, impermeable security mesh. The consequence of having multiple security systems is what I call “technology noise.” Companies and individuals cannot possibly stay up with the most recent security technology. There is just too much of it and the development pace is frantic. And there’s no incentive for the firms offering solutions to particular problems to integrate with other pieces of tech.

Leaders must think strategically when working with multiple vendors to safeguard their businesses or risk falling victim to cybercriminals who are working 24/7 to wreak havoc on unprepared organizations. Here’s how you do it:

1. Assess cybersecurity risk

One of the best places to start is to conduct a risk assessment to identify weaknesses and potential threats your organization could face internally and with vendors. In cyber warfare, it’s called analyzing the attack surface, or the sum of every potential point of entry into an entity’s online data or operations system.

The assessment needs to be comprehensive and encompass network security, privacy technology and protocols. Think of the assessment as an internal audit to identify what information is shared, who has access to it, where the data is stored, and what safeguards are in place to protect that information. The assessment should also be on-going to reflect any and all changes that vendors are making to their products and processes.

2. Make sure vendor controls are in place

When working with vendors, companies should have clearly written policies, procedures and controls in place to protect confidential information. Leaders should focus on:

Limiting user access: The more people accessing data, the greater the chance that unauthorized individuals will steal the data or gain control of your network. Access controls can help ensure that only approved users have permission to access sensitive company records and resources.

Monitoring and reviewing user activity: In addition to knowing who has access to confidential data and company resources, it is also essential to know what they are doing on your network. Software applications can monitor user activity across company networks and devices – and reviewing user activity can help identify suspicious behavior.

3. Strategies to prevent attacks

You cannot win a war by defense alone. Our enemies think unconventionally and creatively, so we must constantly evaluate the strength of our resources and anticipate our adversary’s next move so we can counter them effectively. In the Fifth Domain of cyberspace, the importance of Strategic Cyber Operations (SCyOps) cannot be overstated. And the following building blocks of SCyOps forms the foundation of how companies can prevent cyber attacks:

Threat Analysis: All vulnerabilities are reviewed and organizational assets are classified into a subsystem and assigned a level of criticality, which allows leaders to make risk-informed decisions.

Threat Engineering: The threat engineering team works closely with the threat analysis team to maintain, update and create threat detection. This team weeds out false positives and gives the company ample time to configure mitigation and patch management strategies.

Threat Hunting: Threat hunting involves monitoring the latest threats, techniques, tactics and procedures being used by cybercriminals to identify optimal protection solutions to prepare and protect the company from possible attacks.

Our SCyOps framework helped a large healthcare provider (nearly 300 physician practices, 800 clinics and 300,000 patients) protect its vast network – and the many third-party vendors who are connected to it – from internal and external threats, and achieve compliance with The Health Insurance Portability and Accountability Act.

Make no mistake about it. The third-party vendors you work with are under attack from adversaries are armed with cutting-edge technology and do not play by self-imposed business “rules” and etiquette. But if you follow these steps, you will be better prepared when cyber assault happens so you can protect your organization and our American way of life.