Third Party Vendors in Cybersecurity: Is Your Security 6 Preventing a Weak Link?

By Gordon Rudd, Third Party Risk Officer, Venminder

Cybersecurity professionals are constantly looking for threats and vulnerabilities. It’s a constant battle to protect our corporate networks from the bad actors roaming cyberspace. When we do find something, we immediately begin running down the kill chain. 

The term kill chain was originally a military term. In the 1990s, it was adopted by healthcare to better define the search for, and eventual destruction of, the things in our world that make us ill. Ten years later, the term began to be used by cybersecurity professionals to more aptly describe the search for viruses, malware, and the eventual eradication of the software that sought to infect our computer systems. 

Today’s corporate networks are protected by very sophisticated combinations of hardware and software, but still, the bad actors keep finding new ways to break into our networks. 

Protecting Your Organization

How do you know who’s going to see your data and how can you make sure you’re conducting due diligence to make sure this nightmare scenario doesn’t occur on your watch? Put an appropriate third party risk management program in place. We must manage our vendors in such a way that we recognize cybersecurity risk exists and we have the appropriate weapons in our arsenal to run down a kill chain with our third party service providers.

If we make certain we have the Security 6 regarding cybersecurity in place, then we are far less likely to fall prey to cybercrime. These include: 

1. Vendor Selection. While performing proposal work upfront, look for vendors that are using reputable software and subservice providers, aka fourth parties. Have your potential vendors send you a short list of information you can review for cybersecurity. One of those documents must be a SOC report. 

2. Risk Assessment. Diligently assess the risks the vendor and the vendor’s subservice providers might pose to your organization by anticipating possible ways of failure. Read the vendor’s SOC report, see if there are any findings that could lead to a breach, and verify that cybersecurity controls are in place and operational.

3. Due Diligence. Perform proper due diligence to ensure the vendor is who they claim to be and can provide the product/service in a safe and secure manner. Site visits can be helpful.

4. Contracting. Set contractual standards you and the vendor agree to and write them clearly in the agreement you both will sign. Remember, if it isn’t in the contract, it’s not going to happen.

5. Reporting. Make sure senior management knows how the organization’s vendors are performing on a quarterly basis, at a minimum. 

6. Ongoing monitoring. Keep a watchful eye on your vendors as it’s one of the best methods of ensuring satisfactory vendor performance and avoiding surprises. It’s not a once a year ordeal but instead is a constant process. 

Today’s cybersecurity professional also must follow the myriad of laws, regulations, and guidelines issued by federal legislation, federal agencies, state laws, and state agencies. 

Understand the Control Environment 

With all this sophistication and attention to detail, one would think we would be 100% safe, wouldn’t you? Just like the virus that invades the human body, it only takes one piece of malware from one bad actor, unwitting employee, or careless vendor to open the gates and let the bad guys overrun our network.

For this reason, how do you verify the vendor has proper controls in place? Review the following: 

  • Business Continuity Plans (BCP). Designed to keep the business operational in the face of disaster scenarios. 
  • Disaster Recovery Plans(DRP). Outlines the process to return to normal operations after a disaster.
  • SOC Reports. Identifies the security controls that are in place and what controls are operational to make sure information stays secured.

Makes sure these are part of your due diligence requests from every new vendor. 

Be Proactive with Strong Cybersecurity 

While all this cybersecurity effort is certainly necessary today, it can all be undone by bringing the wrong vendor inside the gates. That’s why vigorous vendor management is an absolute must.

Venminder is a sponsor and exhibitor at RMA’s GCOR XIII, April 10–11, 2019. For more information and to register for GCOR please visit the GCOR website,

Washington, The Week Ahead - June 1-5, 2020

Read More

1Q 2020 Credit Trends in Commercial Lending

Read More

Hire a Hacker? How an Ethical Hacker Can Protect Your Financial Institution

Read More

comments powered by Disqus