If you ask the 50 banks that recently had customer data exposed when their accounting firm lost a number of their audit laptops to theft, the answer is no. Incredibly, the accounting firm’s lost laptops apparently did not utilize data encryption even though they contained sensitive customer information. This left the banks in the un-welcomed position of having to notify customers of a data breach.
Anecdotally, our experience doing security audits across many industries indicates that much (maybe even most) of the risk of sensitive data loss in an enterprise is associated with their vendor’s lack of adequate security controls.
Ironically, when a company outsources a service they are also outsourcing much of the security risk. For example, when you host servers at a co-location facility, you are paying for more than just a network connection and the rack real estate to mount servers. You want redundant power, physical security, environmental controls, etc. However, many vendors that provide services which involve access to confidential data do not have the security controls that you’d expect.
Because this incident involved the banking sector which is highly regulated with specific requirements for vendor due-diligence, it highlights the challenge of implementing an effective vendor management program.
Let’s look at the basic steps of a vendor management program and highlight some areas of significant risk. A vendor management program might involve the following steps:
Create an internal policy for vendor management to ensure that a consistent and well-documented process is in place for handling vendor due-diligence.
Identify vendors (From an IT perspective a risk assessment or a business continuity plan might be a good place to start to identifying vendors that deserve scrutiny. For a company-wide data loss prevention strategy, a Gramm-Leach-Bliley Act (GLBA) oriented risk assessment that specifically highlights areas of risk with regard to customer confidential information would be a place to start.)
Audit each vendor to assess how they handle security and make sure that other parts of the internal vendor management process are in place, such as having a good contract in place with the vendor that covers the handling of confidential data, etc.
Unfortunately, adequate risk management requires that all of these steps be effective.
Step 1 is pretty easy and regulated companies in particular often have a pretty evolved policy and process in place.
Step 2 is harder though. Because a business may utilize so many vendors and it may not be obvious which ones have access to confidential data, it is possible for a vendor to avoid getting on the company radar for inclusion into the vendor management process. Fortunately, if management is dedicated to risk management and disciplined to continually re-visit the process, the risk that a vendor is excluded from the process can be minimized.
Step 3 however, is the most challenging, because it is not well defined to what extent a company needs to “audit” their vendors. Most vendor management processes will require that the vendor’s security policy is reviewed. The question is: do you trust that the company is actually doing what they say? From our audit experience – you shouldn’t. Some vendors will have a security audit that can be shared to help show that they are actually doing what they say. The risk here of course is that an audit is only as good as the people that do the audits and the process used to audit. For example, in the financial services industry, if you ask your vendor for an audit, they’ll show you their SAS 70. Unfortunately, in our experience, there seems to be little correlation with the findings on a SAS 70 audit and actual security risk. We see instances where a company gets a clean SAS 70 report, but our analysis indicates that they are violating the most elementary security best practices and exposing their customers to significant security risk. (perhaps more on that in another post.) Of course you could hire a firm to do an audit on your vendors, but that somewhat defeats much of the cost benefits of outsourcing. After all, don’t we tend to outsource areas where we don’t have the expertise or resources? Our Fortune 100 clients actually have us do this sort of thing, but it’s not practical for everyone to have an outside firm conduct a security assessment or penetration test on vendors.
One thing you CAN do here though is to ensure that your contract with the vendor does allow you to audit them. If your contract with a vendor specifically excludes this right, beware, they may have something to hide.