“Customers should pay close attention (to) their own security and take security into consideration when selecting a service bureau and working with other third-party providers,” SWIFT, also known as the Society for Worldwide Interbank Financial Telecommunication, said in a press release published on its website.
via SWIFT warns on vendor security after documents leaked by hackers | Reuters
I’ll admit I slightly smiled when I read this piece of advice from SWIFT. Images of pots and kettles came to mind from many years ago.
But third parties and vendors are part of the fabric of most enterprises. Whether that be a cloud provider hosting apps or entire infrastructure, or an outsourced HR function, or a specialist firm preparing financial statements.
So while it’s not possible to avoid third parties, many fundamental security practises can help mitigate the risks. Examples of such would include:
- Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those.
- Monitoring controls – having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioural monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
- Segregation – by segregating networks and assets, one can contain any breaches to one specific area.
- Assurance – proactively seek out regular assurance that the security controls implemented are working as intended.