Long gone are the days when organizations controlled all areas of their security. The threat landscape has changed so rapidly that even if a company's end users do everything perfectly to protect their assets and identity, a third-party breach can compromise their personal and private information.
One of the most important issues for organizations to consider is third-party risk. The SolarWinds and Kaseya breaches are just two examples of how third-party managed service providers can be leveraged to infiltrate thousands of companies: exfiltrating documents and customer information, and then demanding ransom, leaving organizations with the difficult decision of whether to pay in the hope of restoring services quickly, or refusing and then trying to restore the environment, which can take a significant investment in time and resources.
A Verizon blog post points out that millions of organizations depend on third parties that fail to secure systems and data adequately to prevent breaches. For example, software-as-a-service (SaaS) can leave an organization's software and data unprotected.
In order to prevent these types of situations, businesses must conduct vendor and third-party due diligence. Small and large businesses alike must spend time vetting third-party service providers about security practices, compliance frameworks, and security methodologies. Organizations must start to create third-party vendor qualification and risk assessments. And don't assume multimillion- or billion-dollar organizations have secure third-party systems and practices. From personal experience, I know large organizations are just as guilty of lax security practices as small ones.
Here are a few tips on how to reduce risk and better understand SaaS security, including what questions to ask:
- What type of auditing occurs on the platform being considered? Request validation from the third party of the most recent external security assessment.
- Does the third party hold a SOC 2 certification? This process assesses the extent to which a vendor complies with industry-standard security practices to secure data.
- If the third party is processing credit card information, has it been audited by an outside organization and earned its AOC (that is, attestation of compliance to the PCI-DSS requirements)? Internal audits alone are not sufficient.
- Is the third-party environment single or multitenant? Your data could be in a database with thousands of other organizations; multitenancy is a common way organizations save money in a SaaS environment. However, if one of the organizations is breached, all could be at risk. It's like sharing a file cabinet with other companies. If someone breaks into the file cabinet, all the data is there for the taking.
- Can you reserve the right to audit, scan, and evaluate the environment with your third-party cybersecurity auditing organization, including the use of pen testing, vulnerability scanning, and proof of certification of SOC 2, PCI-DSS, ISO 27001, and other security standards based on industry and regulatory requirements? Any reputable SaaS provider will be scanned and subject to security audits with the appropriate guidelines. If the provider refuses, look elsewhere.
- Have you considered a subscription that provides an electronic SaaS evaluation? If you use several third-party SaaS providers, this might make sense. Vendor risk management tools or third-party risk management services might make the process easier to manage and maintain.
As more organizations move to the cloud, the use of third parties is becoming a normal part of conducting business. Make sure your organization conducts due diligence quarterly to ensure that SaaS providers are taking care of your organization's information and data. If you're already using a SaaS provider, ask the questions above. If you're looking to engage a provider, use these questions as a regular part of evaluating providers in the selection process.
An investment in due diligence might just prevent your organization from being part of next week’s breach news cycle.