With coronavirus forcing millions of Americans to work from home, many companies’ cybersecurity controls are getting real-world tests for the first time.
Employees are logging into company networks on personal devices that may or may not be up-to-date with patches and firewalls. Phishing emails, using coronavirus as a hook, are tricking some workers into downloading malware, giving cybercrooks the opportunity to steal data or install ransomware.
How do you know that your vendors are keeping their networks—and your data—safe? (This is especially true when vendors don’t share results of vulnerability scans or penetration tests for security reasons.)
Vendors may swear up and down that their systems are secure, but the only way to know for sure is if those controls are audited. That’s why the SSAE 18 exists.
SSAE 18 is an audit standard and has become an industry norm. A properly conducted SSAE 18 audit provides assurances that the right controls are in place to protect data, maintain availability, protect privacy, and accurately process payments. It requires a risk assessment program and third-party vendor controls. It’s an expensive, time-consuming process, that requires an examiner to evaluate, test, and attest to the effectiveness of information security and operational controls.
The SSAE 18 also requires vendors to supply written attestation, from management, that system descriptions are true and complete. This provides additional assurance by creating liability and pressure for management.
Here are three key control areas covered by an SSAE 18:
A vendor needs to know what’s going on inside its solutions, databases, and networks at all times. Is someone trying to break in? Are employees accessing data they shouldn’t have access to? Active monitoring ensures that no one is accessing anything they shouldn’t.
Monitoring should cover every point of access to the system. There should be systems in place to detect and identify changes to files, generate real-time alerts, and detect unauthorized changes. If malicious actors or entities are trying to infiltrate your systems and exfiltrate data, you want your vendor to immediately detect it.
Never assume your vendor is engaged in monitoring. It may be a best practice, but it’s also something a lot of vendors skip based on the many examples of long-term breaches that go undetected.
In late December, Wawa announced that a breach of its payment card processing system had gone unnoticed for 9 months, allowing crooks to steal customer payment information. Now 30 million of those records are allegedly being sold online, according to KrebsonSecurity.
Failure to monitor also contributed to the Equifax breach that exposed 145 million Americans’ financial data over a three-month period. Not only did Equifax not patch a known vulnerability, it had no idea how many machines were connected to its network.
An SSAE 18 ensures an outside auditor has validated IT controls.
You want your vendor to be able to identify a breach, but even better, you want to make sure they have controls in place to prevent one from happening in the first place. This includes everything from firewalls to antivirus software.
Hackers are constantly trying to break into systems. Just last month the U.S. Cybersecurity and Infrastructure Agency (CISA) announced that North Korea has been mounting cyber attacks against financial institutions. Meanwhile, coronavirus cyber scams continue to proliferate.
An SSAE 18 audit can evaluate these preventative controls and lets you know if your vendor is using practices like:
- Zero trust. Everything connecting to a network, whether it’s a database on the server or a laptop, should be treated with the same criticality and secured. Never assume that a connection or device is secure. Data shouldn’t be able to leave a data center without authenticating controls. Data should be secure so attackers can’t move laterally to take control of other systems.
If a vendor is only protecting its data center and not the laptops on its network, then it’s possible for a hacker to use email and reset a password to gain access. This is a great example of why a SSAE 18 on a data center alone is not enough. The vendor needs to have an audit of their internal controls for their systems, laptops, and computers that access the data center.
- Defense in depth. Defense in depth means that there are layers of security. The least critical data should be stored at the perimeter of the network while the most secure items are stored deep in the center. There are role-based access controls (RBAC) to ensure employees have access only to the data they need.
- This is the practice of ensuring applications are developed in a secure manner with things like dynamic scanning, static scanning, and penetration testing. Applications are built using risk management and remediation practices so that data security is built into an application from day one. While big companies like Microsoft have insiders and outside parties regularly looking for and reporting vulnerabilities, smaller companies are less likely to be engaging in security checks of their own software.
Proper maintenance ensures systems and protections are up to date. This includes everything from patches to antivirus programs.
Don’t just take your vendors’ word that their networks are secure enough to guard against the cybersecurity risks of a remote workforce. Don’t just accept the SSAE 18 on the fourth party data center. Ask for their SSAE 18 and key fourth party SSAE 18s (or require its results in vendor agreements) so you have outside confirmation that their IT security controls are strong and effective.