Third party vendor risk management should be a main priority for companies that outsource all or some of their IT and business services to third party service providers in order to reduce costs, leverage external expertise, and focus on their craft. As they say, “the main thing should always be to keep the main thing, the main thing”.

Third Party Vendor Risk Management

As companies place their trust in others to serve them and ultimately their customers, they must have some assurance that the vendors providing support services are managing the risks properly and meeting compliance and regulatory expectations. From a governance standpoint, vendors should not be in a position to dictate a company’s policies although vendors can help shape the policies and standards with their exposure to industry best practices.

This article is about the risks that arise when engaging a vendor to support a business process or outsourcing some functions which must be managed.

Relationship Risks

Companies are ultimately liable for the protection of their client data and quality of services that they provide to their clients whether they outsource some or all of their services. Companies must also ensure compliance with regulatory and industry requirements such as privacy as part of their services. In the normal course of business operations, companies are pretty good at managing their risks by identifying, prioritizing and mitigating them. However, businesses might be a little less concerned with risks that they assign to their third part service providers when they outsource. Thus, companies must shift their thinking when it comes to third party vendor risk management in order to raise awareness the risks which if left unaddressed or unmanaged, can present a variety of negative consequences for companies. This is why service level agreements and data protection clauses are important to make sure vendor risks are managed properly.

Consequences of Poor Third Party Vendor Risk Management

Consequences of unaddressed third-party vendor risks include data breach incidents, lost clients and revenues, lawsuits, negative publicity, damaged company brand, penalties from noncompliance with government regulations, and jail time for executives. Customers are often unaware that their companies outsource their services to third parties but even if they are aware, they would care less as long as they remain confident that their companies take full responsibility for data protection and the quality of services.

Company Role

When outsourcing, companies must maintain control over information security governance, document comprehensive contracts that list vendor responsibilities especially with respect to information security, data access, use or sharing, and perform independent audits to ensure compliance with privacy, information security, and contractual requirements.

Companies must ensure that their established policies and procedures are being followed through employee training and monitoring, but they must also ensure their vendors apply the same level of due care when it comes to managing risks. Information security officers can develop and execute a customized audit program for each selected vendor as part of their annual security plan to assess risks and provide constructive feedback to their executive management regarding vendor policies, procedures and operations.

Information Security Governance

Information security governance should not be confused with information security management. Governance, which must be an internal company function, determines who is authorized to make decisions, specifies the accountability framework, provides oversight to ensure that risks are adequately mitigated, and, ensures that security strategies are aligned with business objectives and consistent with regulations. Information security management, which can be wholly or partly outsourced, is concerned with making decisions, ensuring that controls are implemented to mitigate risks, and recommends security strategies.

National Institute of Standards and Technology or NIST describes information security governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls and provide assignment of responsibility to manage risks.

Since information must be treated as any other critical asset essential to the survival and success of the organization, information security governance which is a complex and critical function must be elevated to the highest organizational levels. According to Identity Management Institute, governance refers to an organization’s oversight and practices by a committee of the Board of Directors and/or Executive Management to assign a chief information security officer, provide strategic direction, approve the information security program, support the CISO to achieve its objectives, and require an annual report regarding the state of information security and compliance.

Vendor Compliance Risks and Beyond

When a company outsources some services to a vendor or multiple vendors, whether it’s for a particular business process, software development, or system management, the company also expects and relies on the vendor to manage the same risks that they would have to manage if they were performing the outsourced activities in-house. For example, vendors are expected to have proper hiring and staff management practices around their employees and contractors, which include full background checks, adequate human resources policies and procedures, and employee training. When internal controls don’t exist or are not functioning properly, then companies can be exposed to some unmanaged risks.

Depending on the nature of the outsourced business process, some services pose greater risks than others. For example, there is usually less risks with an automated service if the system has been properly tested and undergoes limited and less critical changes. On the other hand, if your company is a bank and you outsource loan application processing, you may be exposed to risks in the areas of privacy compliance, system integrity and loan decision accuracy, as well as system security, data backup and protection, disaster recovery and business continuity.

Risk Assurance

There are a few ways that companies can make sure that vendors are properly managing the risks. For example, some of the least expensive risk assurance options include Request For Information (RFI), Standard Information Gathering questionnaires and review of independent audit reports provided by vendors such as SSAE16, FISMA, and ISO audit reports. A more expensive option is to send auditors to examine a specific area in depth. Most companies use a combination of all these options to get comfortable with a vendor’s internal controls but many of these actions depend on how the outsourcing deal was negotiated and what the contracts allow for or prevent a company to do in the area of risk assurance.

Vendor Options for Managing Audit Costs

In order to manage audit costs and prevent all customers to audit as they wish which can lead to enormous time and resource allocation, service organizations should consider undergoing an independent audit and share the results with customers. Even if customers decide to audit vendors at their own expense, there are still many audit support costs that vendors will incur especially if they have thousands of customers. One of the acceptable and most common audit options in the US is the SSAE 16 audit which is also popular due to the increased regulatory oversight of the Sarbanes-Oxley act and customer requirement that their service organizations obtain and submit an independent audit report. Other benefits of an SSAE 16 audit report for vendors includes instant credibility with their customers and perception that the vendors are responsible, independent confirmation by a third-party of their internal controls, and cost savings as the annual audit report can be shared with all clients who ask for it. In addition, a credible independent audit report can satisfy multiple customer audit requests and reduce the number of customer audits.

SSAE 16 Audits

SSAE 16 stands for the Statement on Standards for Attestation Engagements, number 16, which is a recognized third-party assurance audit designed for service organizations. There are two types of SSAE 16 audits. Type one provides the limited assurance at a point of time whereas the SSAE 16 type two provides the highest level of assurance based on a period of time, which includes detailed testing. The scope of the SSAE 16 audits is either decided by the vendor or negotiated as part of the business contracts; however, the usefulness of the audit reports depends on the audits performed around the outsourced services. Some common areas covered in the SSAE 16 audits include employee and contractor management, privacy, identity and access management, information security system developments, data backup and IT operations. The final SSAE 16 audit report is very important to companies because it gives them an independent opinion regarding vendor’s internal controls.

Best Audit Options

Due to their inherent nature, RFIs are less reliable because vendors attest to their own internal controls and there is no independent verification of the assertions. On the other hand, independent audits are more reliable, but they can be expensive. So in order to be cost effective in the vendor assurance process, the high-risk vendors can be identified and audited based on a predetermined audit type and frequency. Companies must determine what constitutes a high-risk vendor and decide what type of audit they will need to perform and how often so they can include audit provisions in the contract.

Audit Costs

Often the companies are required to pay for the audits that they choose to perform and other times vendors cover the audit costs when they complete questionnaires, submit documents for review, and obtain an SSAE16 audit report. Independent audits by third parties can be very expensive, however sometimes vendors cover the costs to satisfy either contractual agreements made with their clients, appear being a good business to attract new customers or retain the existing ones, and reduce the overall audit costs.

Final Thoughts on Third Party Vendor Risk management

For third party vendor risk management, companies must first identify the high-risk vendors, depending on the type of services that they outsource and the data that they share with them. Next, they must decide the type and frequency of assurance methods such as standard information gathering questionnaire, document review, reliance on the SSAE 16 audit report, or, a combination of these methods. However, SSAE6 audit reports are not always available and do not include the critical processes in the audit scope to satisfy customers. One thing to keep in mind is that audit requirements once identified must be coordinated between the legal, vendor management, business, and audit teams for a couple of reasons. First, we want to make sure that there’s an audit clause included in the contract which allows the company to actually audit the vendor as necessary at the company’s discretion, and, allow the security team to schedule resources if they have to audit a particular vendor. And lastly, companies should review the results of the audits and follow up with this service organization to make sure that they remediate the potential findings within the agreed upon time frame.

Certified in Data Protection

There are some Multi-Factor Authentication security risks that we have witnessed from recent cybersecurity incidents although MFA is a great method of securing systems and data when properly implemented. MFA improves security because access doesn’t rely solely on weak user passwords, and it could have prevented some of the latest breaches, such as the Colonial Pipeline breach that created fuel shortages across the East Coast of the United States. However, when used improperly or as the sole security method, hackers can still gain access to the corporate systems and data.

Multi Factor Authentication Security Risks and Problems

What is MFA?

MFA is a technology that requires users to verify their identity using multiple authentication methods when logging in or for other transactions. MFA combines two or more credentials from independent categories: What a user knows (such as a password or security question), what the user has (such as their phone, ID care, or a security token), and what the user is (using biometric validation such as fingerprint, face match, or retina scan).

Combining multiple access requirements makes it harder to bypass security. For example, someone may guess your password is your dog’s name and your birth year (bad idea, by the way), or they may have located in another data breach. If they try to hack into your bank account and your bank also requires you to enter a verification code texted to your phone, the hacker’s job is harder.

As mentioned, MFA could have prevented some well-publicized recent breaches. For example, the Colonial Pipeline breach occurred as the result of one breached password. Hackers accessed the system through a VPN (Virtual Private Network) account, which was intended to provide additional security. A simple MFA requirement would likely have prevented this attack. Companies using a VPN connection should require strong authentication with at least two of the authentication factors listed above.

Unfortunately, as companies increase their security requirements, hackers are also adapting their attacks. There have been recent attacks that were able to bypass security systems, including some MFA requirements. For the SolarWinds Orion compromise, for example, attackers stole the single sign-on (SSO) private keys, which allowed them to bypass the MFA checks entirely.

When MFA and SSO portals are combined, there may also be architectural design flaws that keep the protection from working as designed. For example, once a user is initially authenticated, if additional MFA verification is not required when accessing more sensitive systems, this creates a weakness. This weakness could allow a single low-security machine or employee to be compromised once, and then trusted throughout the company’s network. This weakness is further expanded if a company does not grant least-privileged access and allows user access for unnecessary systems.

Multi Factor Authentication Security Risks

There are several approaches hackers use to bypass MFA requirements (such as social engineering, technical attacks, and physical theft), and they often combine multiple methods. Some of the most common, and easily avoidable, multi-factor authentication security risks are described below.

Social media mining is common, such as getting users to play games that reveal personal information on Facebook. Remember what we said about using the dog’s name and your birth year as password? Seemingly innocent posts, games, and pictures provide enough information that, grouped together, provide a wealth of information to hackers. This may be used to help guess your password or answers to security questions, such as the make and model of your first car or your school mascot.

Technical attack examples include malware and Trojans. Cerberus is a Trojan that utilizes Android’s accessibility features such as “enable unknown sources” or “developer options” that allow hackers to enable remote access, escalate user privileges, and install malware on the target systems. Hackers used the Cerberus Trojan to reverse-engineer the Google authentication flow, extract two-factor authentication credentials from mobile apps, and then mimic/bypass the Google Authenticator.

MFA verification solutions using Short Messaging Service (SMS) (text messages) are especially easy for hackers. You’d think a hacker couldn’t defeat this method because you have the phone physically in your hand, but SMS is notoriously easy to break. In fact, the U.S. government has recommended that no MFA solution should include SMS verification tools. The weakness comes because hackers can easily convince the cell provider to transfer your phone to them. Hackers have used this method to steal hundreds of millions of dollars.

Although MFA is a good start, businesses need to do more to secure their systems. Legacy MFA structure relies on a password as the initial security screen. Since the user’s password is typically the least secure step in the system, that weakens the entire security structure. Additional steps such as SMS-confirmation, one-time codes, and so-called “security” questions may slow down a hacker, but it’s often little more than an inconvenience.

Managing Multi-Factor Authentication Security Risks

With all this information about MFA’s weaknesses, does it mean we should scrap MFA completely? Absolutely not. Every layer of security helps, but there are ways to provide additional security. Below we discuss some recommendations for proper MFA use.

Use more secure forms of MFA, such a FIDO, and avoid MFA solutions that rely on SMS. FIDO2 (Fast Identity Online) security keys provide unphishable, standards-based passwordless verification. FIDO combines added security for the company and convenience for the user by relying on a platform key built into the device or an external security key, eliminating the password hassle.

Remember that tricking biometric MFA solutions isn’t that difficult. Fingerprints can be stolen, created in gelatin, and used to bypass scanners. Scanners allow slight variations to account for sweaty fingers or abrasions, for example, which means forgeries don’t have to be all that exact. A Vietnamese security group has created a mask that can trick Apple’s face scan. Biometrics are good, but they shouldn’t be viewed as foolproof.

Combine your MFA with other security methods such as least-privileged access. This process entails giving users only the lowest levels of access necessary to perform their daily tasks, and requires granting additional permissions on an as-needed basis. This restricted access helps reduce risks associated with shared accounts, and if one user gets compromised, it prevents access to more highly secured areas.

Have a plan for lost devices. Anything that a user has, such as a phone or a token, a user can lose. Of course you need to educate users to report lost devices immediately. IT can then expire the current session and require reauthentication for access. The device can be disassociated from the user’s account and therefor the user’s access rights. Finally, in some situations (typically for company-owned devices), the company can remote-wipe corporate from the mobile device.

Regularly reevaluate your MFA procedures because security is a dynamic field. As security procedures evolve, attackers continually change their methods to get around the barriers. Your IT infrastructure may change and create new vulnerabilities. The security environment needs to continually change to keep up with hackers and with your infrastructure changes.

Finally, remember that while MFA makes hacking less likely in some scenarios, it doesn’t mean it’s unhackable. Make sure all your MFA admins understand the potential vulnerabilities, and that they’re familiar with ways MFA solutions are hacked or bypassed. This knowledge helps your company understand the types of threats to your MFA solution, how to recognize weakness, and how to report any potential attacks.

The main purpose of the secure software development planning is to prepare the organization for any security risks as well as the range of functionality designed to protect the systems. A well-prepared organization is less likely to make critical security errors that cause harm to their clients’ sensitive data.

An informed organization will also be well-prepared to deal with any system malfunctions that may arise in a timely manner. Factors of a well-structured organization include clearly defined roles and responsibilities that dictate each developer’s specific designations, as well as ample amounts of tools and resources to make the implementation easier and more secure for the development team.

Secure Software Development Planning

The following 4 steps must be considered in the secure software development planning phase:

Defining Security Requirements

It is vital that software developers understand the security risks that they face before starting the development process, in order to develop around them. Software developed with all relevant security risks and legality in mind will be better suited for security and compliance, ensuring the safety of all parties involved.

Implementing Clear Roles and Responsibilities

A clear set of roles and responsibilities makes the development process more efficient as well as more transparent. Any malfunctions in the system can be more easily traced back to the source if the members of the development team are held accountable. Accountability also enables developer roles to be updated in accordance with their work. In an organization where everyone’s roles are evaluated and updated accordingly, the team will work more efficiently and logically.

Implementing a Supporting Toolchain

Organizations can implement automated toolchains to enable more secure and accurate security protocols for their developers. The process of automation relieves humans from needing to constantly survey and update the system. Toolchains may be implemented at any level of development (system-wide or simply localized to one project) to assist in the securing process.

Security Criteria for Secure Software Development Planning

Even with automation, it is necessary to manually verify the system on occasion. The checker must know what the code should look like and how it should function, what data should be on it, and be able to identify major security risks. Any accessible data should be used to strengthen this process.

Secure software development planning is within the scope of the Certified Identity Management Professional (CIMP) certification program. Apply for CIMP certification.

Identity and access management certifications