With recent headlines on the Equifax data breach, corporate security couldn’t be more top of mind these days. And Equifax is not alone. The “victims” keep piling up year after year - Target, Yahoo, and LinkedIn having some of the largest breaches in history.
Related: The biggest data breaches ever
We’ve heard all the stories about why this keeps happening. Hackers are super smart, and they get more sophisticated at outsmarting security protocols. Yes, those are factors definitely play a part.
But here’s another key factor: the affected organizations are behind the eight ball when it comes to assessing and managing risk. Here are just a few staggering statistics on what is (or isn’t) happening relative to corporate security practices:
- According to Harvey Nash & PGI’s Cyber Security Survey 2016, of the 200 senior information security professionals surveyed, 46% of respondents described their approach to operational security as “reactive”.
- Only 31% of of participants in KPMG’s CCO Survey use an enterprise-wide platform to monitor risks associated with third-party vendors.
- The average amount of time it takes organizations to find any given data breach is 201 days, according to the Ponemon Institute. But, businesses that find breaches in 100 days lose less in the process - $1 million less, on average.
IT and compliance teams are not taking the appropriate measures to protect companies from risk, and this lack of action takes many forms. Sometimes it’s having the appropriate policies and procedures in place, but not updating them frequently (like incident response plans).
In other cases, IT and compliance groups lack the necessary expertise to complete critical functions like penetration testing. Those functions may get outsourced (if they’re lucky) or not done at all.
A growing trend among businesses is to simply pay lip service to the practice of vetting third-party vendors like SaaS platforms. Here’s a sample scenario:
- ABC company is interested in using XYZ SaaS platform.
- ABC company provides XYZ SaaS platform with a checklist of security protocols.
- XYZ SaaS platform must adhere to all the security protocols on the checklist in order to do business with ABC company.
- XYZ SaaS platform reviews the checklist and answers “yes” to all security protocols.
- XYZ platform might even create some documents outlining their security practices to share with ABC company.
- ABC company accepts XYZ SaaS platform’s answers on the checklist and gives approval to proceed with XYZ SaaS platform.
We’ve all been burned by taking individuals at their word. That’s not to say that everyone we encounter is untrustworthy. But in the case of corporate risk assessment, the potential outcomes are more important than the relationship with the third-party vendor. If a massive data breach occurs, your business is ultimately responsible (and may incur irreparable damage).
In order to avoid future risks, IT and compliance leaders must implement stringent policies when evaluating third-party vendors - SaaS or otherwise. Here are our recommendations for the critical steps to protect against (and manage) risk:
1. Regularly Identify Third-Party Platforms
Taking stock of all the third-party platforms your business uses may be the most time-consuming part of the process. If you’re lucky, the known platforms are all listed in your ERP in a straightforward manner. If not, you may be searching for contracts or contacting department heads to find out what they use. Whatever the case, identify all the ones you are aware of, and then go back and look for platforms unknown to you. You’ll start the risk management process from this master list.
2. Require Every Vendor Go Through Compliance Checks
If you’re not doing it already, run third-party vendors through compliance checks. Make sure to review all the security documents they provide. And don’t just “check the boxes” like we mentioned above. Compliance platforms and/or outside consultants can go through and verify the compliance of third-party vendors, giving each vendor a score and specific details on where they are out of compliance. Take these details back to third-party platforms and ask them to make changes and come back to you when they are complete, so you can check for compliance - again.
Heavy penetration testing on each third-party vendor will also insure you find major security holes - before hackers get in. Many organizations don’t have the time or the expertise to perform complex penetration testing, but it can be outsourced. Whichever route you decide to take, make sure penetration testing happens before implementing any third-party platforms.
3. Don’t Use Non-Compliant Third-Party Platforms
Here’s the hard part: when issues of non-compliance arise, it’s critical to hold the line. If your company is already using the third-party platform, usage has to stop. Depending on the level of noncompliance, you may decide to give the vendor the opportunity to go back and resolve the issue - or you may end the vendor relationship entirely. A number of factors will come into play: how serious was the issue, how many employees use the platform, and whether or not the platform can be easily replaced are just a few.
4. Rinse and Repeat With All Third-Party Vendors
Going through these steps once will only guarantee compliance at one point in time. But change happens at lightning speed. SaaS platforms make software updates. New government security regulations take effect. Hackers find new techniques. In order to stay ahead of risk and compliance, businesses must repeatedly take action to verify procedures and protocols.
5 .Maintaining Compliance is Critical to Prevent Potential Incidents
If you’re struggling with SaaS as a large part of the equation, contact Meta SaaS. Our SaaS vendor management platform will support your efforts to identify, manage, and assess your SaaS landscape.