What You Should Consider Before Launching a Security Test for Your Third Parties and Vendor
A paradox of cybersecurity’s function in business is that businesses provide value by creatively sharing and using information, but cybersecurity benefits from less sharing and access to data.
This holds doubly true in the area of third-party security for large organizations that must adhere to stricter regulations, such as banks and government agencies. It is nearly impossible to conduct business without frequently and openly sharing valuable information with, or via, third parties.
Drug developers rely on clinical research partners for essential data. Banks exchange information with credit agencies, other banks, regulators and more. All of this drives software development and infrastructure changes constantly, and some percentage of those changes introduce security vulnerabilities that are detected late in the process, which poses risk for the organizations.
Many feel that they get more security “bang-for-the-buck” through third-party testing—testing the software of others. A 2022 study by the Ponemon Institute found that while 75% of respondents are concerned about the risk of ransomware linked to third parties, only 36% of organizations evaluate their own security and privacy practices. An earlier 2019 Ponemon study found that if it were a third party that caused a data breach, the cost increased by more than $370,000 (raising it to $4.3 million). Shoring up third-party defenses clearly has benefits for multiple parties (and your customers).
How Synack Customers Test Third Parties
Synack has seen customers try different approaches for testing third parties. Tests are either 1) encouraged, 2) required or 3) coordinated.
In the first model, third parties are strongly encouraged to get a security test from Synack and share the results with their partner, usually the larger of the two companies. It’s not forced; ultimately, it’s up to the third party to decide if their relationship benefits from a security test.
In the second model, security testing is a requirement for a relationship to be contractually completed. Finally, the Coordinated Testing model is the one Synack sees growing the fastest. In this model, the larger company with several third parties to test purchases tests on behalf of other companies and mandates testing. Usually, they specify the testing intensity as well, by choosing a basic Synack test or a more comprehensive offering. This secures testing resources and makes it easier to share data via a testing platform built for it.
Issues to Consider when Testing Third Parties
Whichever model you prefer, there are several things to consider. First, what is the chargeback model, if any, for security tests? Does the third party pay, the first party or someone else? Does the payment happen up front or in a later, internal accounting? The latter helps execute testing faster, which is ultimately what many companies want to reduce risk earlier.
Next, what legal agreements need to be in place? All Synack customers have clear contracts with Synack that cover testing. In some cases, an identical contract is needed with a third party, but more frequently, it’s a simpler agreement. Consult with your legal team to find the simplest but most effective way to expand testing on your assets, regardless of where they reside.
Finally, there is information sharing. Do vulnerabilities found on a third party get reported to the primary party? In most cases, the primary party simply wants to know that vulnerabilities are not present, which can be done with patch verification reports. Synack’s robust role-based access control system and reporting allow for any choice along this spectrum to be securely shared according to the wishes of the companies. Information can be shared via a final report, access to the Synack Portal (with real-time information about testing efforts and results) or both.
Whatever you choose, third-party security testing to clean up potential vulnerabilities advances the ultimate goal for many companies: safer users and data.