Step Up Your Data Security Against Third-Party Risks
0 likes182 views
The document outlines a presentation on the importance of data security and vendor risk management (VRM), highlighting that many enterprises lack confidence in managing vendor access, with significant percentages experiencing breaches due to third-party access. It discusses common challenges organizations face in VRM and emphasizes the necessity of standardization and defensibility in security processes. Additionally, attendees are encouraged to actively engage in discussions and share their insights using the event hashtag #hacksandhops.
Step Up Your Data Security Against Third-Party Risks
- 2. • Please remember to silence your phone • Post using #hacksandhops, and check out the Snapchat filter • You can download this presentation at the end Several notes: WELCOME! DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops
- 3. THANKS TO OUR SPONSORS DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops
- 4. Founder& CEO,FRSecure • Founder of FRSecure ® and SecurityStudio® • Co-inventor of FISASCORE® andVENDEFENSE® • Author of UNSECURITY • 25+ years of “practical” information security experience • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) • Member of the Forbes Technology Council • Written more than 750 articles about information security, dozens of television and radio appearances EVAN FRANCEN KEYNOTE #hacksandhops
- 6. BEFORE WEGO MUCH FURTHER… Why should you care about your vendors? #hacksandhops
- 7. VENDORS ARE A SECURITY RISK Don’t believe me? _______ #hacksandhops • Only 35% of enterprise security professionals are very confident in knowing the actual number of vendors accessing their systems. • Only 52% of companies have security standards for third-parties. • Just 34% know the number of individual log-ins that can be attributed to vendors. • 69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year. • On average, organizations spent $10 million responding to third-party breaches over a 12-month period in 2016. • 63% of all cyber attacks could be traced either directly or indirectly to third parties. Sources: Bomgar survey, PwC, Soha Systems, CSO Online
- 8. FOUR APPROACHES TO VRM Where do you fall? #hacksandhops
- 9. FOUR CATEGORIES OF ORGANIZATIONS Common issues: • Several people having to work on VRM • Knowing who all your vendors are • Categorizing 'high risk’ vendors • Gathering accurate vendor information • Tracking and acting on results • Keeping up with scheduling _______ #hacksandhops GOOD PARTIAL PAINFUL NONE Doing VRM using an internal process that is working Doing VRM but using spreadsheets or some other messy solution Not doing VRM but know they should Not doing VRM but don’t think they need to
- 10. WHERE DO YOU FALL? NONE Several reasons, including: • You just didn’t/don’t know any better. • You don’t know where to start. • You’ve tried before and gave up due to complexity or shifting priorities. • You don’t see the value in establishing a good third-party information security risk management program. • You don’t have the time or money • Executive Leadership do not feel it is a priority • Other? _______ #hacksandhops GOOD PARTIAL PAINFUL NONE
- 11. PAINFUL • Trying to do VRM, but it’s painful • Want to do the right thing. • Forced to do it. • Usually manual, difficult to manage, disruptive and subjective • Overall ineffective at managing risk and defensibility is variable. • The painful approach is expensive and a waste of valuable resources. #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
- 12. PARTIAL • Only covers part of “information security” • Information security is managing risk to information confidentiality, integrity, and availability considering administrative, physical, and technical controls. • Typically focused on technical controls because they’re easy; however, aren’t people the greatest risk? • Good at partial, but not likely to address how breaches will occur; partially defensible. • The partial approach is incomplete and leads to a false sense of security (sometime worse than no security at all). #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
- 13. GOOD • Rare, but effective and streamlined. • Doesn’t compromise on our definition of “information security”. • Simplified – no unnecessary steps; easy-to- follow. • Standardized – objective, same processes for all third-parties. • Defensible – logical, organized, objective, auditable and completely effective. #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
- 15. STANDARDIZE • Once we’ve established the standard process, don’t deviate unless it’s absolutely necessary. _______ #hacksandhops • If deviations from the standard process must be done, make sure they’re documented and signed off on. • Each deviation from the standard process erodes defensibility.
- 16. STANDARDIZE • Big vendors (Microsoft, Google, Amazon, etc.) may not participate in our VRM process; these are common deviations and are exceptions that can easily be explained away should something bad happen. _______ #hacksandhops • Standardization comes through documentation, training, and automation. Every step in the process that can be automated should be automated.
- 18. THE TRUE MOTIVATION: DEFENSIBILITY • Defensibility in your VRM is arguably the most significant “why” for doing it in the first place. • If/when something bad happens, attackers become customers, regulators, opposing counsel, etc. _______ #hacksandhops
- 19. THE TRUE MOTIVATION: DEFENSIBILITY • Ask yourself about defensibility constantly during VRM activities. Examples: • How many vendors do we have? Defensible? • How many high-risk vendors do we have? Defensible? • Have you vetted all high-risk vendors? Defensible? • Non-definitive answers (assumptions, guesses, etc.) are more likely to be indefensible. _______ #hacksandhops
- 21. Vice President & CISO,Provation • BIO INFORMATION MILINDA RAMBEL-STONE PANELISTS #hacksandhops
- 22. TODDTHORSEN, CISSP, CISM,CIPP/US PANELISTS #hacksandhops Senior ManagerInformationSecurity, RiskManagement& Compliance,Code42 • BIO INFORMMATION
- 23. ARIN BROWN PANELISTS #hacksandhops ChiefTechnologyOfficer, SeaChange • BIO INFORMATION
- 27. • STATS FOR NEXT H&H OR OTHER INFORMATION PLACEHOLDERFOR NEXTH&H NEXT HACKS & HOPS AMBUSHED!INSIDETHE MINDOF A HACKER #hacksandhops
- 28. WANT THIS PRESENTATION? Text DEFEND19to 555888to get acopyofthis slidedeck. ________ #hacksandhops
- 30. • Last call at 4:40; head downstairs by 5 • Share your opinion with Andy • Keep posting using #hacksandhops to appear on our social wall Several notes: THANK YOU! DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops