How Third-Party Failures Can Expose Your Business

Third-Party Failures

Enterprise cyber security has changed. Businesses can no longer be satisfied with just monitoring their own security to safeguard against attacks. Cyber attackers actively explore different ways to hack into the network and application layer. It has never been more important for third-party security to form an integral part of business policy. Enterprises must be on guard when it comes to running third-party software, whether the application is outsourced, open-source or commercial-off-the-shelf.

With IT outsourcing becoming increasingly common, it is essential that firms come to understand the importance of securing the supply chain, including third-party software, as well as in-house IT assets. Awareness of the threat of cyber-attackers has grown exponentially in recent years, and this consciousness has given way to a public who are far less forgiving of mistakes – whether it’s your own or due to misplaced trust.

The 2014 data breach at US retailer Lowe’s was the result of a third-party vendor’s failure. Lowe’s was a bystander in this security downfall, yet it was the home-improvement company who’s reputation that was at stake and who was left scrambling to pick up the pieces.

Learning From Past Mistakes

A third-party vendor called E-DriverFile were hired to provide a computer platform to store compliance documentation and information about employees. The personal data stored included names, social security numbers, dates of birth, addresses, driver’s licenses and driving records — for both current and former Lowe’s drivers and system administrators.

According to reports from FierceITSecurity, E-DriverFile unintentionally backed up the data unencrypted to an internet-facing server, which meant that it was accessible on the internet from July 2013 until April 2014, when the error was discovered and resolved. In a letter to those affected, Lowe’s VP of human resources stated that there was no reason to believe the information had been misused. However, investigation suggests it may have been accessed while it was available online, which would leave these individuals at risk of identity theft.

No Man Is An Island: Securing New Perimeters

Operating as an “island” is simply not an option for an enterprise to thrive. However appreciation of the risks involved in introducing third-parties into your environment must improve significantly. The reality for modern business is that they will be held accountable for any breach of customers or employee data- regardless of the circumstances.

Enterprise must ensure that they are actively securing this threat perimeter, to avoid further high-profile breaches involving third parties, such as in the case of Target, Home Depot, TK Maxx and Lowe’s. This includes comprehensive due diligence of vendors’ IT policies to prevent incidents such as Lowe’s where they inadvertently exposed highly sensitive data.

Another critical method for reducing risk is to test for security vulnerabilities in software and web-facing applications. In March 2014 Citroen hit the headlines when they suffered a breach at the hands of a hacker gang who were exploiting a vulnerability in Adobe’s ColdFusion software. With the majority of software deployed by enterprise now consisting of externally developed, open source or commercial-of-the-shelf software managing this risk is a business priority. Assumptions regarding a third-party’s security credentials are not sufficient.

Trusting A Vendor Blindly Does Not Work

Effective relationship management between the enterprise and the vendor are crucial to solving this problem. It is important to be explicit about the necessary security measures that vendors must have in place as part of their contract to ensure they’re fulfilled. When securing the software supply chain, enterprises must not rely solely on paper-based self-assessments but move towards more in-depth assurance methods.

Large enterprises are seeing success with introducing contractual obligations for software vendors to conduct static, dynamic or manual penetration tests on the software they provide. Embedding security into the procurement process prior to deploying an application is an important step towards safe-guarding the enterprise network.

Software hosted or supplied by third-party vendors must undergo the same scrutiny as software developed in-house. Ensuring vendors scan all applications for vulnerabilities is critical for safeguarding all-important data and IP. However, with threats ever-evolving, it is important that vendors are prepared to and have the resources to establish regularly repeatable, policy-based process. This could be aided by working with vendors to integrate security measures into their software development lifecycles. This ensures future code is as clean as possible, limiting any remediation requirements.

Make A Plan

A third-party vendor security programme is not an ad-hoc project. Vendor security testing is a process that should be fully adopted by an enterprises’ Security, Legal and Procurement departments. Embedding the processes through the enterprises’ supply chain is the future for lowering the threat and vulnerabilities in the production environment. It is the growth in IT outsourcing that makes this a business imperative.

Addressing an enterprises’ third-party security is a problem that cannot be resolved overnight and an issue that can initially seem daunting. Many businesses are seeking for third-party security experts to deal with this issue through practical experience enrolling vendors onto the programme and shifting attitudes to facilitate a collaborative approach.

Whatever path your business takes, the key take-away is understanding the risks third-party software poses to your data and your reputation. Even if your business has little or no involvement with the development, management or hosting of a vulnerable application, if your brand appears on the product, you’ll have to shoulder the blame if an incident occurs. By preparing in advance, you’re not only safeguarding your data. You are protecting your brand reputation across the board.

Manju Sharma

Manju Sharma is Security Program Manager at Veracode. Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises.