What the Capital One Breach Should Teach Us About Vendor Security Management

The news of the Capital One breach rocked the banking industry this week.  It is significant because it wasn’t a virus or an outside hacker but allegedly a previous employee of a Capital One vendor who gained access to over 10 million customer records. Surprisingly to some, the percent of breaches from insider threats is considerable. A recent study showed that 44 percent of breaches were caused by vendors.  

Many businesses have already taken a look at their own internal security practices but another major challenge is how to manage a vendor relationship with regards to security. This week’s news makes it clear that while cybersecurity should be a top priority for all businesses of all sizes, even a company as sophisticated as Capital One can have blind spots when it comes to managing vendors. Strict vendor security plans need to be in place.  

Here are 8 things you can do to get started with vendor security management:

1. When you select a vendor have a strong vendor assessment process in place. You need to include security as part of your vendor assessment.  Consider how safe each vendor will keep your sensitive information and what processes they have in place.
2. Require vendors to provide independent third party security assessment, like a SOC 2 report or PCI certification.  Having a security assessment from a third party is a sign that the vendor takes security seriously and has had an independent group review their security processes.  Remember the scope of assessment should also be appropriate to cover all the areas that are relevant to your interactions with the vendor.
3. Make sure there is continual annual vendor reassessment. Ask for any changes in their environment that may have an effect on the security of your data, including an active list of employees, a change in infrastructure or cloud providers.  Security is not just a one time deal. It is a way of doing business and a commitment to protecting valuable information for all parties involved. You should understand the vendor’s schedule for security assessments and when they last completed one to make sure it is up to date. 
4. Segment the data they have access to by restricting it to the minimum required. To do this you have to understand where the data lives and how the data flows within your environment. You don’t have to open up your entire network to a vendor.  Remember to limit the scope to the relevant areas and this will reduce your vulnerability to attack.
5. Test - conduct vulnerability scanning and testing on their network if allowed. Some organizations may not allow you to scan their environments. If you are unable to perform your own scans ask the vendor to provide you with a recent independent penetration test and how the company remediates any exceptions that are uncovered. Once you have completed a third party assessment it makes sense to check it.  Additionally, conducting an internal vulnerability scan will show you if there are any areas you missed in the scope of the work and where your weak points might be. This double check can save your business from a costly breach.
6. Deploy log management and DLP (Data Loss Prevention) tools to understand what data they have access to and are accessing. Keeping a record can help you understand what is being accessed the most and who has access.  In the case of a breach, it will also help you know what patterns were occurring and if anything outside of the normal pattern has occurred.
7. Make sure any vendor agreement has appropriate contract language requiring the company to implement  appropriate security procedures and technology. By adding it to the contract of work you are showing how seriously you view this element of the business agreement.  It also ensures that the vendor will take appropriate steps with their security program in order to meet the terms of your contract.
8. Implement an off-boarding process.  Make sure all ex-employees internally, and with the vendor, are appropriately off-boarded and access to systems is immediately removed. This one can be easy to overlook for many businesses who are busy and perhaps have overworked HR teams. However, it is critical for all departments of the business to work together so they can track employees and stop access as appropriate.  The Capital One breach this week is an example of how not stopping access can lead to a serious security breach.

Of course Capital One is just the latest company to highlight the importance of vendor management and the need for a solid security program.  Our CEO, Grant Elliott, also talked about the 5 lessons learnt from the Equifax breach which was settled last week. The Capital One breach shows us how important these lessons are for all companies. This year’s Ponemon Cost of a Data Breach report studied the costs associated with breaches that occurred between July 2018 and April 2019 at 507 organizations. The global average cost of a data breach for the 2019 study is $3.92 million, a 1.5 percent increase from the 2018 study. Think you’ve read enough about breaches?  Then maybe you need to read our blog post about 5 Ways to Protect Against Breach Fatigue to avoid it happening at your company?

Ready to take action?  Speak to Ostendio about setting up your security program or assessment.  We have experts who can help your company build, operate and demonstrate security compliance to over 100 standards globally.