It was reported that contractors in China used by Microsoft to train Cortana, their AI engine, were granted access to voice recordings with minimal cybersecurity controls. A former contractor told the Guardian that workers were not vetted and shared account credentials were able to be used on personal laptops.
In their most recent 10-k filing, Microsoft recognized that unauthorized access or disclosures due to third parties are a risk stating, "Employees or third parties may intentionally compromise our or our users’ security or systems, or reveal confidential information."
With a large number of domestic and international vendors global enterprises have, for a quite a while, had formalized processes and resources to ensure that the risks presented by their third parties are in line with the compliance posture required from publicly traded companies. However, we took a detailed look at Microsoft's supplier data protection requirements and observed challenges that are likely to increase the likelihood of incidents initiated at or by third parties, or even their fourth parties. (Note: while this is focused on Microsoft it could well apply to a large number of Enterprise organizations.)
When does the need for a vendor get identified?
Vendor selection is typically driven by business users who present a business problem that needs to be solved. After a determination that this needs can't / won't be fulfilled by internal resources the vendor selection process kicks into gear. The sourcing or procurement teams will search through known third parties in order to present a fit to the business, if they don't fit the business need the search net is extended. Ultimately, it's sourcing job to find a few companies that could deliver.
When does a vendor assessment take place?
The time between the initial business request and a vendor being shortlisted can vary, but this is almost always driven by the business need. At the point the shortlist is created the need for a risk assessment presents itself. The cybersecurity posture, however, is typically one of a number of requirements that are scored. So, even with every company stating, "data security and privacy is a high priority" the security posture of a vendor becomes a criteria alongside other commonly cited criteria. Cost and delivery are almost always ranked higher than risk.
Who completes the assessment?
Anyone that works for a for profit organization will resonate with the need for closing net-new customers, especially larger companies who may bring additional credibility in the marketplace. So it's no wonder that assessment responses completed by sales or account representatives are likely to be a little more "creative" than those completed by the people responsible for the control being tested. We should also point out that sales teams are more likely to transition away from their roles than HR, or IT. Today vendor assessments stop short at trying to identify the best person at the vendor to answer a question.
How often does the third party get assessed?
The frequency of an assessment typically calculated by the risk of the third party. Even with mature systems and processes enterprises allow 3-6 weeks for a vendor assessment to be returned. This does not account for any clarification the vendor may require or follow up tasks let alone the analysis and reporting performed by the enterprise risk team. It's no wonder that even the most stringent enterprises re-assess their third parties every 9 months. This presents another question: How does the enterprise track progress and changes in risk every 9 months? Quite simply, it can't.
What if the third party has a SOC2 or ISO certification?
There was a time that having a SOC2 (formally known as SSAE 16 or SAS 70) or an ISO 27001/2 certification meant that the third party had highly robust controls which translated to lower risk. But even having, or obtaining the certificate does not mitigate risks to the enterprise.
Lots of 3rd parties, some overseas
3rd parties have 3rd parties
Assessment responses are typically completed by sales personnel a formality and are generally spreadsheets
Assessments rarely extend into 4th parties
Technology scans are ineffective
Weight is placed on the contractual agreement
How can we fix this:
Ensure that the specific areas of the assessments go to the specific owners of the domains, in microsoft's case Security Policy, Training and awareness and access control.
Be able to reach out directly to the owners and get them to demonstrate the controls.