Category: All

IBM Security Privilege Manager – Remove excess privileges from endpoints and use policy-based controls to block malware attacks.

Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with at least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

  • Whitelisting – Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
  • Blacklisting – Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
  • Graylisting – Potential threats are graylisted, meaning they’ve moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without the risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

Read the last part tomorrow!

Privileged Access Management and Identity Governance – Integrate with identity governance capabilities for continuous user lifecycle management and compliance.

IBM Security Identity Governance and Intelligence (IGI) integrates with IBM Secret Server for automated lifecycle management. Implementing PAM can’t be treated as a standalone project. It requires automated identity governance capabilities to prevent issues that would otherwise emerge over time: entitlement aggregation; users with an ever-expanding collection of access to privileged accounts as they change roles, jobs and departments; limited visibility into shared passwords; and so on. Integrating IBM Secret Server and IBM IGI helps prevent toxic combinations of access through a holistic view across both privileged credentials and normal business user accounts. IBM Secret Server securely stores and monitors privileged credentials in an encrypted vault, while IBM IGI ensures that users’ access levels are compliant with regulations and free of SoD violations.

Avoid access combinations that lead to risk

While PAM solutions give you a simple way to know who can access and use privileged accounts, you still need visibility and insight into the unique combination of privileged access each user has. A user with a “toxic” combination of access presents a risk to your organization.

Imagine that one of your users has access to an application that uses a database to store its data. What if that user—unknown to you—also had access to the privileged account necessary to manage the database? They would have the ability to edit the database, thereby circumventing the business and authorization controls of the application. And if the user had privileged credentials to manage the OS, then the auditable trail could be cleared.

Automate recertification campaigns

IBM IGI lets you run certifications to automatically trigger access reviews and gives managers business-friendly information to help with the attestation processes, free from cryptic IT jargon that could otherwise result in bulk approvals.

Integrating IBM IGI with IBM Secret Server extends certification controls to include privileged users as well as non-privileged business users. You can replace error-prone manual processes with an automated recertification process that makes it easy for approvers to better understand what it is they’re actually approving.

Recertification campaigns will help you prove compliance while maintaining clean, healthy and appropriate access to privileged and non-privileged applications.

The benefits of integration

When you integrate IBM Secret Server with IBM IGI, you:

  • Avoid entitlement aggregation and ensure continuous access management
  • Easily prove compliance through recertification campaigns
  • Avoid risks and toxic access combinations through SoD controls across privileged and non-privileged users

Read more tomorrow!


There is no doubt that supply chain breaches have become a major concern in nearly every business, especially where electronic transactions are taking place. Hacking that can result in supply chain breaches makes businesses vulnerable to theft of confidential data, along with real life theft of goods that are in transit.  For a hacker, the information obtained by gaining access to secure computer data can lead to the theft of millions of shopper’s credit card and account information, leaving a business liable for a fortune in fraudulent charges.

A glaring example of this is the recent major hack of discount retailer Target, which occurred on Black Friday of 2015. Over 40 million customer accounts were illegally accessed, giving the thieves credit and debit card data, along with security codes which are found on the back of the cards.  Luckily, no social security numbers or other vital information was stolen. 

Hackers can use this type of highly sensitive information to make electronic purchases online or sell to the highest bidder.  As a result of this enormous security breach, many major banks and other financial institutions have announced that they are much more thoroughly monitoring their customer accounts.  JPMorgan Chase (JPM) said it would limit the amount of cash that cardholders could withdraw from ATMs in a given period of time, along with enforcing a spending limit for electronic purchases in stores.

Chuck Schumer has demanded a report from the Consumer Financial Protection Bureau as to whether encryption of customer data should be required by law, while Richard Blumenthal called for a Federal Trade Commission probe.

What do I do if my card was hacked? 

“Customers typically aren’t liable for unauthorized purchases on their accounts that they report promptly. Major banks and credit card companies — including American Express (AXP), Discover(DFS), Bank of America (BAC), Wells Fargo (WFC) and PNC (PNC) — said they were monitoring customer accounts.  J.P. Morgan Chase said it was temporarily limiting ATM withdrawals to $100 a day and purchases to $300 a day for customers whose accounts were at risk.”


How does this type of security breach occur?

Unfortunately, many of these hackers are extremely adept at covering their trails.  Many of the details of these crimes remain unsolved. In relation to the recent Hacking of Target, it is believed by security experts to have been a breach from point-of-sale-data. Basically, a HVAC vendor was allowed access to information on the same server that held customers’ credit card and other financial information. The bad guys obtained passwords from this vendor and were able to get onto Target’s server.  This is a major blow for both Target and their participating financial institutions, as they are forced to cover all fraudulent charges in order to retain shopper confidence.

“The recent, unprecedented cyberattacks have disrupted business for leading global companies, infiltrated governments and shaken confidence among security practitioners,” said Tenable CEO Ron Gula, in a press release. “With so much at stake, organizations need to know whether their security programs are effective or if they are falling short.”

(Fox News)

Data breaches are a rapidly rising area of concern globally, and in particular financial services where large areas of money are transferred both physically and electronically between different parties.  On the more passive side, hackers can find extremely confidential business information and disperse it into a public realm, usually through online avenues, and can seriously damage or inhibit the operational capacity of the entity.  Information such as bank account transactions, business trade secrets, and material production/sourcing information can be leaked to competitors in a way that gives them an advantage in the sales market, or in some cases even damaging the victimized company to a point that recovery is difficult or even impossible.

IBM Security Secret Server -Easily discover, control, change and audit privileged accounts.

The first step in managing privileged accounts is finding the accounts you don’t know exist. Manual processes and errors can lead to accounts that are unknown and unmanaged by IT. With IBM Security Secret Server, you can automatically scan your entire IT infrastructure to discover privileged, shared, and service accounts. This sensitive information is then stored in an encrypted centralized vault to ensure proper protection using advanced encryption standards. Password policies can be implemented and enforced on every account. You’ll gain full visibility and control over every privileged account in your environment.

Curb privileged access sprawl

When you discover all privileged accounts across your infrastructure using IBM Secret Server, you identify all service, application, administrator and root accounts. This means you gain total visibility and control over privileged credentials that previously went undetected.

Get started with IBM’s free interactive Privileged Account Discovery tool.

Generate, store, rotate and manage SSH Keys

Bring the generation, rotation, control and protection of SSH keys directly into IBM Secret Server. SSH Keys are similar to usernames and passwords but are used for automated processes and for implementing single sign-on by system administrators. With Role-Based Access Control and permission sets, you can control who has access to which sets of keys, regardless of location or IP address.

Monitor and record privileged sessions

Know every keystroke a user takes. IBM Secret Server enables real-time session monitoring and allows you to terminate a session if risky behaviour is detected. It also allows you to record privileged user activity. This provides an audit trail from when the user checks out a secret, to what they did on the system, to when they finally log off. Gain full insight into what’s going on in your most critical accounts.

Change passwords automatically when they expire

Privileged passwords should be changed regularly. IBM Secret Server’s built-in password changing and expiration schedules ensure that critical passwords are changed automatically, without manual intervention.

Delegate access to all privileged accounts

Maintain accountability and provide better context to approvers, so they know exactly why a user needs access. You can also set up role-based access control (RBAC) and an approval workflow that enables transparent access, time restrictions and other parameters of that access and password approval for third parties.

With IBM Secret Server you’ll gain full visibility and control over every privileged account.

You’ll know if someone adds backdoor access or makes an unauthorized configuration change.

You can identify who accesses a system, review the actions they take and react accordingly. Session monitoring and recording also gives you a complete audit trail.

Enhanced auditing and reporting

Utilize dozens of out-of-the-box reports for better insight into system health and compliance. You can generate full reports on password vault activity and create custom reports from database queries as needed.

Integrate IBM Secret Server for enhanced security

IBM Secret Server integrates seamlessly with critical IBM Security solutions, including IBM Cloud Identity, QRadar®, Guardium® Data Protection and IBM Security Identity Governance & Intelligence.

Read more tomorrow!

A Pressing Imperative: Privileged credentials are the targets of choice for cyber attackers.

A Pressing Imperative: Privileged credentials are the targets of choice for cyber attackers. 6

It makes sense for privileged accounts to be the most vulnerable because compromised accounts can grant unfettered access to your organization’s IT infrastructure. That’s why many high-profile breaches have resulted from unmanaged and unmonitored privileged accounts. The attackers responsible often gain administrative control through a single endpoint—and always leave substantial damage in their wake.

Locking out threats with Privileged Access Management

Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.

Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

Putting Privileged Access Management into practice

The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.

Locking out threats with Privileged Access Management

Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.

Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

Putting Privileged Access Management into practice

The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.

IBM delivers comprehensive PAM capabilities through enterprise-grade solutions: IBM Security Secret Server and IBM Security Privilege Manager. Backed by expert consultation and 24/7 support, IBM Secret Server and IBM Privilege Manager help you capitalize on everything PAM has to offer, while also integrating with identity governance solutions for complete lifecycle management for users of your privileged accounts.

A key part of securing your organization is ensuring you are integrating identity into the broader security ecosystem to mitigate internal and external threats. Two key parts of that are:

  1. Privileged Access Management – focused on the special requirements for managing powerful accounts within the IT infrastructure of an enterprise.
  2. Privileged Elevation and Delegation Management (PEDM) – which prevents external threats and stops malware and ransomware from exploiting applications by removing local administrative rights from endpoints.

This week we’ll take a look at why both are necessary for your organization.
Read more tomorrow!

1 Source: The Forrester Wave: Privileged Identity Management, Q4 2018 by Andras Cser, November 14, 2018

2 Source: Best Practices for Privileged Access Managed Through the Four Pillars of PAM, Gartner, January 28, 2019.

3 Source: Comply or Die: 2018 Global State of Privileged Access Management (PAM) Risk & Compliance, Thycotic.

Omada Named a Leader in the Gartner Magic Quadrant 2019

SecurIT is proud to announce that Omada has been named a leader in the Gartner Magic Quadrant for Identity Governance and Administration 2019.

Omada believes that they are positioned as a Leader because of their pioneering best practices for IGA, the development of their unique identityPROCESS+ framework, their implementation methodology, and their Identity Governance and Administration product OIS delivered as software and as-a-service.

“Being recognized as a Leader by Gartner is an honor and an important milestone in our global expansion,” said Morten Boel Sigurdsson, CEO of Omada. “Yet, it is not our achievement alone. This is also a recognition of our partners who are building their businesses on Omada and our shared effort to create business value for customers.”

Discover why Omada is a Gartner Magic Quadrant for Identity Governance and Administration Leader
Omada has been named a Leader in Gartner’s Magic Quadrant for their ability to execute and completeness of vision. They see their position in the Magic Quadrant as a confirmation of their focus on using identity to create business value and accelerate digital transformation. 


One of the areas that the National Institute of Standards and Technology or NIST is concentrating on is cybersecurity. As regular readers of this blog will know, cybersecurity incidents are at an all-time high. Last year, secretary of state, John Kerry, even described the security situation as being, “pretty much the wild west…so to speak”. It is within the context of this overbearing security incident landscape that the NIST Cybersecurity Framework has come into being.

Why Even Have A Framework for Cyber-Security?

You may well ask, why have an overarching framework for handling security issues, why can’t I just work it out myself as I need to? A framework is a positive and helpful reference system. Frameworks develop out of experience and knowledge of a given situation. You could apply the principles of a framework to pretty much any situation. For example, you could have a framework which expands upon the types of policies needed for a specific healthcare service, or one for a public transport system, and so on.

The cyber-security framework that NIST has developed is in a similar vein. It has been built upon the experience and knowledge of many organizations and individuals who have worked in the area of security. This collective expertise is used to create guidance on how to recognize, manage and mitigate cybersecurity risks.

Having an expert system, like a framework, is particularly useful for creating strategy and policy around cybersecurity threats. The framework was put together using the aggregated wisdom of over 3000 security professionals. It gives you the foundation stone to create your own internal targets and plans that you can use to build a more secure organization.  It means you can use already tried and tested protocols and procedures, without having to reinvent the wheel. In other words, it is a way to use security collaboration for the benefit of all.

Having an established set of guidelines for developing your own Cybersecurity program is recognized by many experts as now essential. PWC in their report on “Why you should adopt the NIST Cybersecurity framework” has stated that,

“It is our opinion that the NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards.”


What are the NIST Cybersecurity Framework Basic Functions?

The NIST Cybersecurity framework has a core, which is built upon five basic functions:






Each looks at different aspects of a Cybersecurity threat/attack lifecycle and how best to handle it. They follow a logical progression and build upon each preceding function. I’ll concentrate here on the first one, identity.

The definition of ‘identity is this:

“An understanding of how to manage Cybersecurity risks to systems, assets, data, and capabilities”

This is the most basic and fundamental of all of the NIST Cybersecurity functions and as such, it is the most important. Identify is all about identification – understanding what your critical assets are and understanding where the risks lie. Assets are wide and varied and literally, anything that can be breached or damaged is an asset. This includes intellectual property, customers’ data, proprietary information and also physical assets. This whole area is becoming increasingly complex as we expand our networks outwards into the Cloud and even more so as we enter the era of the Internet of Things (IoT).

Identify is all about governance too. Our perimeters are becoming more fluid and fuzzy as they expand outwards and cross over the supply chain itself. In fact, the supply chain is one of the areas that can stand to benefit most from the use of the Identify function within the NIST Cybersecurity framework. Many organizations are now asking suppliers to provide a Framework profile, or providing their own template to suppliers, which sets out how the supplier approaches security and their own internal processes and procedures that fit in with the NIST philosophy. This forms the basis of their risk management strategy, again a fundamental of the Identify function.

The Identify stage of the NIST framework is the vital first step in understanding how to approach Cybersecurity risk mitigation. This step is the pivot upon which the other four functions work. Without having full sight of the various aspects of your business, across your expanded data universe for your own organization and any associated companies, you can’t hope to build a holistic and effective Cybersecurity management plan.

Making NIST and the Identify Function Work for Us

The NIST Cybersecurity Framework has been designed by collaboration with security professionals, who have gone through the pain of creating a solid Cybersecurity strategy.  We can all benefit from using their collective wisdom and following their recommendations. The first foot on the road to a solid Cybersecurity program is to know your enemy and their actions. Performing the Identify function is that first step on the road to a more secure organization.

There are many places you can get further information on applying the NIST cybersecurity framework principles. However, there is a book I can highly recommend, by Adam Anderson and Tom Gilkeson, “Small Business Cybersecurity”, that will help ease the complexity out of the equation and explain in simple terms how to utilize the NIST Cybersecurity framework and the Identify function. The book was written specifically to advise small to medium-sized company security professional on how to communicate the latest tools and techniques in security to C level executives and is a great reference guide.

Privileged Account Management for Dummies

Getting to know PAM

This book gives IT professionals a practical understanding of privileged account management (PAM). It describes what privileged accounts are, where they reside throughout an IT environment, and how they function. Most importantly, this book explains the risks associated with these accounts and how to best protect them from hackers and malicious insider threats. 

This book will help you:

  • Grasp the fundamentals of privileged account management (PAM) 
  • Develop strategies for building a PAM solution
  • Learn the top ways to protect your organization’s most critical accounts

PAM for Dummies is sponsored by Thycotic, an IBM partner whose technology powers IBM Security Secret Server.

Get your white paper here

About SecurIT

Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7). 

Ignore partner security at your cost: the importance of supply chain security and risk awareness

There was a ton of research into supply chain security issues this last year, likely due to the number of major attacks that occurred that originated with a supply chain member. Supply chain cyber-attacks come in all shapes and sizes. One of the most prolific and successful, was committed in 2014 by cyber-espionage group, code named, ‘Dragonfly’. This supply chain initiated security breach focused on attacking smaller supply chain members to get at larger pharmaceutical/energy suppliers in Europe and North America. Dragonfly, infected industrial control systems (ICS) with Trojans; they replaced legitimate code with their malicious code. The infected ICS software was then downloaded from the supply chain supplier’s site, infecting their enterprise customers. The software was downloaded around 250 times before being discovered! The costs are still rolling in, but estimates show the financial damage for gas and oil alone will be around $1.8 billion by 2018.

But it’s not just organized gangs of cybercriminals you need to be wary of. Insider threats are also a big issue for supply chain risk and security management. Small firms can’t afford large IT departments to investigate threats that are hard to uncover. PWC in their report on ‘2014 U.S. State of Cybercrime’ found that only 20% of smaller firms actually had any security function to check for insider treats. The rest just didn’t have the staff to handle the situation. We can see that the planets are aligned and supply chain members offer a perfect package for anyone attempting to steal data, intellectual property, financial details, or to even cause material damage to industrial processes. As PWC put it in the aforementioned report:

“Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It’s an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains.”


It is in light of this that we need to reconsider how we process bids from potential supply chain members.

The Importance of Supply chain Security Due Diligence

With all of this evidence pointing to the security breach potential within the supply chain, why then do we have so much of an issue working out the supply chain risk when we are evaluating bids?  One of the reasons is that evaluating bids takes time and adding any extra variable into the mix would increase this time, not only onto the bid process, but potentially the time to market too. IT projects are already under intense pressure. According to estimates by The Standish Group in the ‘Chaos Report’, only around 16% of projects ever come in on time and on budget. Any additional considerations and security is a big one, will add even more risk to a project.

However, the current cybersecurity chaos has meant that security of supply chain members has become a vital part of the procurement process. A KPMG study in 2015 across multiple sectors found that procurement managers are starting to listen, with 70% of them stating that they now look seriously at how a smaller organization can handle their clients’ data. 94% of the procurement mangers said that cybersecurity was now an ‘important consideration’ in the procurement process.

However, one of the renowned bugbears of anyone handling a bid process is the involvement of outside parties like security audit. Security is an area that is notoriously complicated to assess and takes time. Security departments and procurement are often thought of as being on opposing sides, with security seen as being a hurdle to cross, rather than an important voice in the bid process. The KPMG study demonstrates that this is changing, but the timing issue remains a challenge. The trick is how to square the round, keeping the bid process moving, while completing security due diligence. A balance needs to be struck and simply not performing security assessments, is a false economy that can result in stalled projects and issues such as:

A project that starts but has unknown security problems as no audit has been performed – the new supplier then poses potential security risks to the organization.

The bid process is completed without the security check, the work begins, but then security realizes that checks must be done before the project can begin and so the process goes back to square one, creating all round confusion, time loss and financial impacts.

Security and Procurement Working in Harmony

It is worth considering having some sort of metric to evaluate the security practice and risk profile of a vendor, along with the other standard criteria, such as price and quality. Procurement after all is just a collation of considered risks – security needs to become an embedded consideration.

Placing security into the due diligence mix, in light of the serious nature of the burgeoning supply chain security risks, is plain common sense. Not doing security due diligence could add considerable risk to your organization that could end up costing a hefty amount if your supply chain is breached and your data and processes compromised.

The importance of vetting your vendors: Vendor risk management

In 2013 U.S. department store, Target, suffered a major breach. The breach resulted in 70 million customer records being stolen. These records included personally-identifying information (PII) as well as 40 million credit and debit card details. The impact of the breach was far-reaching and is still rumbling on. The latest problem to rear its head is a class action against Target from financial institutions which may result in pay-outs of around $67 million.

The Target breach was caused by a supplier in their supply chain; this supplier, an HVAC company, was spear phished. That is, specific employees in the supplier organization were targeted with a phishing email that tricked them into entering login credentials into a spoof site, which then sent them onto a hacker. These credentials turned out to be network credentials for Target’s own IT network. Before Target even had a whiff of a security issue, they’d lost the data and the rest is history.

The story above is a modern-day horror story, but one that brings into sharp relief the need to know your supplier and their operational practices. Vendor Risk Management, or VRM, is an increasingly important area of business risk mitigation. A modern company will often use multiple vendors to supply everything from machine parts to software applications. These vendors often have a very close relationship with an organization, even, like in the case of the Target suppliers, having privileged access to a privileged network. Vendors can be seen as an extension of your own company and as such, need to have the same stringent checks as you would place on your own employees and company dealings. Having a formalized strategy to deal with VRM is an important activity that helps reduce the risks that are associated with working with third parties.

Types of Risks in Vendor Relationships

The types of risks that an organization needs to be aware of when building a vendor relationship are:

1.     Data transfers: In nearly all vendor relationships you will have to share some sort of data. This may be data about joint customers, financial details, or even your own proprietary intellectual property. Data exchange and storage needs to be monitored and must adhere to the relevant compliance requirements of the industry, as well as any data protection and privacy laws that exist in your own and the vendor’s country.

2.     Network access: If you need to give your vendor access to your IT resources, such as access to databases, you should look at the security options for protecting this access, not just from phished credentials, but from insider threats too. In the case of credential theft, second-factor authentication measures such as key fobs, mobile-based, or other out-of-band methods can offer additional security. Insider threats are harder to prevent, but behavioral monitoring and employee vetting can help.

3.     Access to premises: As with network access risk, access to premises comes with its own challenges. Hacking sensitive data has become easier. For example, there is a USB key called RubbyDucky, costing less than $43, which allows anyone with access to company computers to extract sensitive data, including login credentials, in seconds. Ensuring that vendor access is closely monitored and computer and network access is managed is part of your overall security strategy.

Vendor Risk Management Strategy

There are a number of areas that you should look at when creating a strategy around VRM, from financial, to reputational, to operational. They should also include:

1.     Know Your Supplier (KYS): Make sure you have your supplier details such as primary contacts, tax information, business addresses and so on. This information forms the basis of your working relationship with the supplier and lets you build up supplier profiles and retain records on each. You can use software systems such as ERP and e-procurement, to track supplier performance and ensure you always have up to date information on your working relationship. You can extend your data collection on suppliers to keep news articles and general business information on them; information that could alert you to security breaches, or similar issues, that you can use to ensure your own data security. Analysts Aberdeen Group found that companies who closely, collate, store and track supplier data had better project outcomes and showed greater cost savings. McKinsey and Company have looked in-depth at how to best manage large vendor eco-systems. They suggest the use of work-flow to audit vendors and create programs of accountability.

2.     Security and compliance considerations: Price Warehouse Coopers in their report on, ‘Third Party Risk Management’ found that there has been an increase in security incidents that originated from a third party vendor. They attributed this to the fact that although 71% of the surveyed companies had effective internal security measures, only 32% of those required the same levels of security from their partner companies.

Security is something that has a domino effect across associated organizations. If one company becomes infected by malware, there is a higher chance an associated company will also suffer the infection. The Bring Your Own Device (BYOD) revolution has ensured the seamless proliferation of malware. If a vendor regularly uses their own device within your network and that device is infected, then your data is also at risk.

In addition, there are a number of regulatory drivers that push for greater security awareness across the supply chain. This is particularly true for companies that share data. Most countries have data protection laws and many, like the EU have stringent privacy laws. A number of countries and industry-specific compliance standards and laws need to be considered across all touchpoints of the company-vendor interface.

Vendor employee security vetting may also be a consideration under certain circumstances and dependent on the level of access required within a project. If a project requires access to sensitive company data, such as intellectual property, or even source code, the vendor employees should come under the same level of security vetting as your own internal employees. This may mean requiring individual non-disclosures and security checks.

Creating an Efficient and Effective Vendor Eco-System

The risk factors around our vendor eco-system are not something that we can just ignore. This is especially true for any areas that involve security and compliance. Our vendors are in many ways like an extension to our own business and as Cloud working and BYOD enter our enterprise arena, this is even more so. Improving control of your vendor management will ensure that your data and systems retain the same levels of security policies as you expect from your own internal strategy. This will allow you to adhere to the various compliance expectations and data security requirements. It will also mean that you mitigate the risk around security breaches, something that is becoming an urgent need for businesses of all sizes as the cyber threat landscape becomes ever more threatening.