Who Watches the Watchers?

There’s no doubt we are living in a time where technology and computers have become an integral part of our day-to-day business, and these critical systems are not exempt from the need to be maintained, supported and upgraded. 
Along with this technology, there is an increased risk to business due to cyber criminals and cyberattacks. As October is Cybersecurity Awareness Month, this will probably not be the first, nor last, post that you see addressing security. In this case, we are focusing on one specific aspect: the use of third-party companies to support these systems and what is important to consider.  
When working with small- to mid-sized companies, a common trend we see is that more and more companies rely on third-party vendors to support their computer systems. This support addresses anywhere from day-to-day maintenance to fully outsourcing their infrastructure, software, or hardware needs. This is not an uncommon scenario. In fact, recent industry surveys find that more than 50% of companies handle support of their various systems in this way. 
If you are relying on a third-party company to watch over the security of your systems, who watches the watchers?  
There is nothing to say that using a third party for various aspects of our business is wrong, but any time we open our systems to an external entity there are associated risks. All we have to do is look at the news headlining SolarWinds, or more recently Morgan Stanley, to see examples of these risks. So, what can be done? Let’s look at a few simple items that should occur with the use of third-party companies.
Information Security Program
One thing to remember is that the use of a third-party company should be to strengthen an information security program, not replace it. You may be asking, “What is an information security program?” To put it simply, it is a combination of what is documented and what is performed as it pertains to our systems.
Documented policies and procedures, ranging from the maintenance of systems, employee expectations, third-party expectations, and what happens if an issue occurs, not only can help reduce overall risk, but make it easier to recover in the likelihood of an occurrence.  
Let’s consider backup and data recovery. If a business had to recover data for whatever reason, how far back is acceptable for this data to be restored? One day? One week? One month? This information should be determined in advance and documented. Then, it should be relayed to our third party to validate that it can be accomplished. 
Our policies and procedures should be complete enough to determine all aspects of our system and include:
  • How users are created
  • How users are removed
  • What these users have access to
  • How they gain access
  • What they can do with this access
  • Backup – frequency and type
  • Recovery – how far back do we need to be able to restore information
  • Response – what do we do when an issue occurs
If the third party is responsible for any of the above, are they aware of what the policy is regarding this? Are they adhering to it?
Understanding Their Security
Two key areas of focus when allowing a company access to our systems is:
  • What is the security of their systems?
  • What can they do when ours is compromised?
Target’s data breech is a perfect example of this. When choosing a third-party company to work with, it’s not enough to take their word that security isn’t an issue. Does this company have any formal security policy or statements regarding what they are doing to protect their systems from unauthorized access? If they are breached, what liability are they willing to assume as part of that breach? Do not be afraid to ask these questions and have them send proof of their security. Also, once that information is provided, it should be kept on record along with any contracts or agreements provided.
But, just because the company can prove their security initiatives does not mean they will never have an issue. That brings us to our next point.
Understanding their Access
Whenever we allow an external entity into our buildings or systems, we as a business should know exactly what they have access to and how. Do we know how or when this company will be accessing our systems? Do we have a means of monitoring this?   
If the answer is “no” to any of these questions, our business is being placed at a greater risk.   How, when and where should be clearly defined and periodically reviewed to make sure it is being adhered to. This isn’t to say the third party will purposely do something wrong, but as the Target data breech taught us, it may not directly be the third party that’s trying to access our systems.
Understanding Responsibilities
Those who work with the Department of Defense are more than likely familiar with the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security authorizations for Cloud Services. At the core of FedRAMP is a concept of “Shared Responsibility,” which is to say the company and the third party both have responsibilities in their relationship.    
This concept should extend to all companies and the responsibilities of the third-party should be clearly defined. Far too frequently I see situations where a company will turn to the third party for assistance only to find out “something” was not being handled by the third-party.
Whenever a third party is used, I strongly recommend that a responsibility matrix is designed and communicated. The matrix shows key activities as rows and participating parties as columns. For each participating party, you indicate whether they're responsible, accountable, consulted or informed. This will remove any doubt of who is acting in what role.   
Let’s say you’ve done research into your third-party company’s security, created a responsibility matrix and have all the agreements in place. Your job is done, correct? Absolutely not. Remember, these are still your systems and your responsibility. Far too often organizations have no idea how their systems are configured or what the third party is doing. Ask yourself the following questions: 
  • Do we know what they are changing or modifying in our systems?  
  • Did we approve this?  
  • Do we have a record of what they did?  
  • If I had to change my third party, do I have enough information to do so? 
Make sure to keep a record of all assets, configurations of these assets, software, usernames, passwords, and any other items that the third party may be supporting. This helps not only keep that information protected, but also makes it easier if a different third party is needed.
Just as an organization performs periodic reviews of their finances or business operations, a periodic review of the third party should be performed. Just because the company met your expectations initially does not mean they always are performing as expected.
  • Have they been meeting the expectations agreed on initially?  
  • Has there been any changes in business they need to be aware of? 
  • Have their prices increased? 
  • Have their policies changed?  
If they are not meeting expectations, don’t assume changing third parties is the only option.   Talk to them and determine the cause of the issues. As with all items in our business, with planning, execution, and review, utilizing a third party can be successful.
The Center is here to help protect your organization. Our experts have designed a cybersecurity program that conducts an assessment of your business as it pertains to the NIST cybersecurity framework and provides the necessary deliverables. Protect your information and have plans in place to deal with cyberattacks. Get started today by emailing cyber@the-center.org or by calling 888.414.6682.
MEET OUR EXPERT: Jeff Williams, Program Manager, Cybersecurity
Williams_J-web.jpgJeff Williams leads The Center's efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyber-attacks. One of his main areas of focus relates to the cybersecurity requirements outlined in NIST Special Publication 800-171, designed to protect the information security systems of contractors working with the Department of Defense. In addition to serving Michigan’s manufacturing community, Jeff also is involved with training other Manufacturing Extension Partnership (MEP) centers across the U.S. This effort will enable those centers to provide cybersecurity services to manufacturers in their states.
Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.

Categories: cybersecurity, Industry 4.0, Technology