The recent ransomware attack on cloud hosting service iNSYNQ highlights an imperative element of cybersecurity that is often overlooked: vendor management.
At the time of the attack, iNSYNQ quickly followed protocols and shut down servers to contain the malware infection from spreading. But the damage was already done and the shutdown left customers unable to access their accounting data on very popular services like Intuit QuickBooks.
As the CCH attack earlier this year showed, it is not a matter of if, but when a company is attacked and accounting firms are increasingly becoming a desirable target for cyber criminals to exploit. Vendors play a key role in helping companies achieve efficiency and success in today’s economy.
As they are increasingly relied on, companies have a growing responsibility to establish effective protocols to ensure vendors protect their interests when granted access. If hackers gain entry into a third-party system, they can possibly leverage stolen information and credentials to pivot into your company’s system.
Improving Your Risk Profile
In addition to practicing good cybersecurity, if you want to improve your cyber risk profile when working with vendors, you should consider the following:
1. Build security requirements into contracts. A company’s legal team should work with the IT department when drawing up a new vendor contract to clearly spell out the expectations regarding security policies and procedures. Specific protocols that should be written into the vendor contracts include company security policies; access controls; periodic audits; incident response; and risk sharing in the event of a breach.
2. Know your inventory. The performance of an in-depth data inventory is vital for companies that allow their vendors to maintain client data, such as Intuit QuickBooks. This inventory should analyze each vendor that a company does business with and determine the types of data that the vendor has been given access to.
3. Demand cybersecurity assurance. The current Systems and Organization Controls (SOC) 1 and 2 reports do not prescribe methods for providing assurance or insight into a vendor's security risk management program. However, there is a new SOC report framework—the SOC for Cybersecurity—which specifically audits cyber risk management. You should request that your vendors perform a SOC for cybersecurity audit annually or when there are significant changes to the vendor's cyber environment in addition to annual penetration testing.
4. Schedule access and security reviews. Every company should perform access and security reviews daily and the same is true for vendors with access to a company’s system. If a vendor is allowed to remotely access a company network or application at any time, audit controls should be put in place to regularly monitor VPN logs in conjunction with a review of the network and application activity logs. As a best practice, management should consider keeping vendor accounts for remote access applications disabled until support is needed.
What both the CCH and iNSYNQ attacks underscore is that there is urgency in every breach. You, your staff and your clients undoubtedly need to rely on vendors in various areas, which has led you to share data on systems and services across cyberspace. A breach in any of these services represents a threat to your clients and even your firm.
Taking steps today to address vendor related cyber risks will help mitigate the exposure to your organization—and reduce the risk of being the next headline.
Mike Skinner, CPA, CITP, CISA is the partner in charge for HORNE Cyber. His primary focus is to enable clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers’ critical data and brand reputation while gaining return on investment from IT regulatory compliance activities. He...