Compromised vendor systems have led to several major data breaches recently. And sometimes, vendors get breached because of a partner's lax security. A group of tech companies led by Uber are banding together as the Vendor Security Alliance to prevent more of these types of attacks.
The newly formed coalition, which includes founding member companies AirBnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, Twitter, and Uber, would streamline the security vetting process for third-party providers so that businesses will know the security mindset of the vendors they're partnering with.
An organization's security depends on what the partners, and the partners of those partners, are doing, but strengthening that relationship is a challenge.
"It's no longer enough to embrace these [cybersecurity] practices at your business alone -- ensuring the companies you work with as vendors also have the most secure Internet practices is just as important," wrote Ken Baylor, Uber's head of compliance and the driving force behind VSA. "Ask any business in Silicon Valley, and they'll tell you measuring and mitigating vendor risk is as cumbersome as it is crucial."
The Vendor Security Alliance will address this problem by releasing a questionnaire that businesses can use to assess the vendor's security posture. All members will have access to the results of vendor audits, as well as input in the focus and scope of the questions asked, wrote George Totev, head of risk and compliance at software company Atlassian. Each member is expected to use the questionnaire as the default audit mechanism across all their vendors.
Once the vendor completes the questionnaire, an independent third-party auditor specializing in information security will evaluate the answers and assign the vendor a letter grade. The idea is that businesses will use the grade to know which vendors are following best practices in security, much in the same way consumers use health ratings to decide which restaurants to visit.
"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," the group wrote in its mission statement.
Ask the right questions
There's plenty of discussion about best practices, compliance rules, and security frameworks, but evaluating a vendor tends to be a slow and painful process. Currently, it involves repeated interviews, numerous technology and process reviews, and in some cases, an actual audit. The VSA questionnaire, which will cover such areas as policies, procedures, privacy, vulnerability management and data security, establishes a standard for vendors to follow.
Points will be granted for sound practices like having policies around data protection and access controls, but points can be deducted for practices that could increase security risks, such as not using encryption. IT teams need to know whether the vendor knows how to securely handle sensitive customer data, has the capability to detect attacks in their network, trains developers on secure coding best practices, and follows industry best practices for configuring systems.
The questionnaire will help vendors figure out what they need to focus on in terms of security in order to be able to keep working with VSA-member companies.
The first questionnaire is expected Oct. 1. Nonmember firms will also be allowed to use the questionnaire, which would be available for free, but would not receive the vendor assessment and grade from the independent auditor.
The survey will be updated each year, to "continuously raise the bar for vendors and hold them accountable for increasing cybersecurity standards," Baylor said.
Mitigate the third-party risk
A focus on third-party security is long overdue. For example, thieves gained access to Target's payment systems through a compromised system in Target's HVAC vendor's network.
Target is not unique in this instance. A recent Santa Fe Group study of 617 organizations across different industries found the organizations in the report had spent an average of $10 million to respond to a security incident as a result of negligent or malicious third parties.
"Vendor vulnerability merits much more attention than it has received even in the wake of egregious breaches like that of Target," said Rajiv Gupta, CEO of Skyhigh Networks, noting that cloud services are increasingly used to connect with third-party vendors. The average company connects to 1,555 partners through the cloud, including suppliers, distributors, vendors, and customers, and 30 percent of corporate data is shared with partners that are high-risk, according to statistics collected by Skyhigh Networks.
"Assessing yourself against best practices and understanding how well your vendors manage their programs is an important step when it comes to building a security program at any company," wrote Nathan McCauley, director of security at Docker.
The tech landscape is already cluttered with security coalitions and alliances focused on protecting infrastructure and data, but the VSA is different because it specializes in third-party risk. How successful it will be remains to be seen, since most companies still don't consider vetting the security practices of third-party providers as a high priority. In the Santa Fe Group study, a mere 8 percent named improving relationships with business partners as a top risk management objective.
Many organizations remain unaware of how much data is in the hands of a cloud provider and how their operations overlap with third-party infrastructure. Until they realize that, VSA's impact will remain limited.
There are a few issues still left undecided, such as the company the VSA will select to perform independent verification of the questionnaires and assign grades to the vendors. The fee for joining the alliance -- which is open to new members -- is also still undetermined.