System and Organization Control (SOC) report reviews are a common part of the third-party due diligence function. These reports can be lengthy, contain elements that you really need to understand and agree to, different reviewers may produce different results, and one must understand how to properly review them. It is not sufficient enough to only search to see if there are any exceptions noted in the report. Your team members have better things to do than read through SOC 2 reports all day. So, how can you automate SOC 2 Report Reviews? Velocity automates this for you!
Details
Velocity automates all the items necessary to properly review a SOC 2 report including, but not limited to, exceptions, management responses, trust criteria, ensuring the vendor and product match the expected solution, and more. The platform also extracts the “Complementary User Entity Controls” or CUECs and creates an “Acceptance” column so customers can formally agree to each control that they are responsible for. Velocity creates an executive report that customers can read instead of having to read a lengthy SOC 2 report. Customers can include details in the report such as listing the type of data that the vendor has access to.
Benefits
Speed – Velocity will give you time back in your day by automating the SOC 2 report review process.
Consistency – A company may have multiple employees that analyze a SOC 2 report differently. Velocity’s automation gives consistent results every time.
Accuracy – An employee may miss something when reviewing a SOC 2 report. Missed details can be costly for a company as this is the process used to identify risks within a third-party. Velocity is not only fast and consistent, but also accurate with the reviews. Velocity knows how to properly review a SOC report as it was built by practitioners.
Documenting Third-Party Due Diligence – Collecting a SOC 2 report is not enough. Companies need to document that they reviewed the SOC 2 report and Velocity provides a simple way to do that.
Full Assessment
Even after leveraging the automation within Velocity to review the vendor SOC 2 report, customers can still launch a full assessment on the vendor. For example, let’s say a customer receives a vendor SOC 2 report and uploads it into Velocity. The executive report that Velocity generates may contain concerning information about the vendor’s security posture. The customer can then choose to launch a full velocity assessment on the vendor to fully address the concerns and determine when the vendor will resolve the issues.
Conclusion
There is limited time in the day and Velocity is your go-to platform for automating SOC 2 reviews. Velocity has the benefits of speed, consistency, accuracy, and provides a way for customers to document their third-party review process.
Over the past year, news outlets have been buzzing about Facebook, now called “Meta”, collecting vast amounts of data from healthcare organizations and tax return companies. Some of these companies are announcing breaches as a result of this data collection.
Why are Companies Sending Sensitive Data to Facebook?
Let’s be clear – Companies are not trying to send their sensitive information to Facebook. Companies are NOT going to Facebook.com and uploading their customer information. Instead, Facebook is collecting this information via web tracker software that they offer to companies for free to monitor website visitor behavior. Companies invest a lot of resources in their websites to ensure their customers get the best value and can easily navigate their offerings. In order to see how customers interact with their websites, companies install web trackers to monitor button clicks, visitor statistics, navigation errors, and more. Most websites have a method of logging user behavior using trackers that are generally hidden from the website visitor. A couple of the many website trackers include Facebook’s Meta Pixel and Google Analytics. Companies are using it to track basic website visitor information and often times they do not realize that Facebook may be collecting sensitive information.
What is Meta Pixel?
Meta Pixel is Facebook’s web tracker software. Facebook’s Meta Pixel is popular, easy to use, and it’s free. Any company can download the code, install it on their website, and instantly see information about website visitors. Companies can log into a dashboard showing daily website visitor statistics.
Is a Vulnerability in the Meta Pixel Software Causing the “Breach”?
There is no known vulnerability in the Meta Pixel software that is causing the breaches. Instead, companies are announcing breaches because Facebook is not supposed to receive sensitive information. Since Meta Pixel is collecting more information than intended, and Facebook was not authorized to have access to this information, companies are listed it as a breach or a privacy violation.
What Companies are Affected?
The Markup news outlet wrote an investigative report about a number of hospitals that had the Meta Pixel code on their website and their patient protected portals (Feathers, Fondrie-Teitler, Waller, & Mattu, 2022). Some of the affected hospitals immediately removed the Meta pixel software when they realized that it could collect more information than intended. The Markup released another report showing how tax filing websites were sending sensitive tax payer information to Facebook by the same Meta Pixel software (Fondrie-Teitler, Waller, & Lecher, 2022). While the healthcare and financial industries are in the news for these issues, the website tracker breaches surely affect many industries as the Facebook Meta Pixel code is installed on millions of websites.
How is Meta using the Data?
It is unclear how Meta is using the collected data. Facebook itself may not know what it does with this data according to a Vice report based on a leaked internal Facebook memo (Franceschi-Bicchierai, 2022). In the leaked memo, a Facebook engineer stated “We do not have an adequate level of control and explainability [sic] over how our systems use data”.
Number of Individuals Affected
According to the 2023 Velocity Healthcare Breach Report, in the healthcare industry alone, over 6,000,000 medical records were affected in 2022. The affected tax filing companies have millions of customers. The number of affected individuals is most likely much higher and continues to grow as more companies announce that they had the Meta Pixel software on their websites.
What Can Companies do to Prevent this in the Future?
Companies should thoroughly investigate all web trackers to determine how data is utilized before placing the code in production environments. Many companies have methods to perform security evaluations on new third-parties as they go through the procurements system, but this scrutiny is not usually applied to free software such as Meta Pixel or Google Analytics. Companies should ensure that any code changes go through a Software Development Lifecycle (SDLC) that includes a security analysis.
How can Stern Security Help?
Our cybersecurity services team has extensive experience analyzing web trackers and the data that they send outside a customer environment. Additionally, Stern Security’s Velocity application can be used to get your third-party risk management program in order and evaluate vendor solutions for cybersecurity and privacy problems.
Works Cited
Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, July 19). Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Retrieved from The Markup: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
Fondrie-Teitler, S., Waller, A., & Lecher, C. (2022, November 28). The Markup. Retrieved from Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook
Franceschi-Bicchierai, L. (2022, April 26). Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document. Retrieved from Vice: https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes
If the SolarWinds hack taught us anything, it’s that the security of a company’s infrastructure is dependent on the resilience of their vendors. A breached vendor is a trojan horse that bypasses normal defenses and accesses the trusted areas of the network. Threat actors have cunningly discovered that a trusted vendor is often the easier path to infiltrate their primary target. Some of the top cybersecurity technologies in 2021 focus on vendor risk evaluation.
Even if companies have internal security teams, evaluating vendor risk is a resource intensive process. Most organizations utilizing spreadsheets to create vendor questionnaires. After several back-and-forth emails and several weeks, the vendor completes the questionnaire. Next, begins an equally long process of internal deliberations to give the vendor a risk score. This process can take months for a single vendor. The current vendor security review process that most organizations perform is inefficient and varies in accuracy. Meanwhile, vendor breaches continue to skyrocket. In the healthcare industry, 21.1% of breaches were caused by vendors (business associates) from 2009 to December 31st of 2019. However, in 2020, breaches from vendors spiked to 39.7%!
Third party breaches in the healthcare industry from 2009 through 2019 (Source: HealthcareBreaches.com)
Vendor breaches in the healthcare industry greatly increased in 2020:
Third Party breaches in the healthcare industry in 2020 (Source: HealthcareBreaches.com)
A strong vendor risk evaluation solution is critical to combat these issues. A good vendor risk management product adds efficiencies, reduces cost, and increases security for organizations and vendors. These solutions automate much of the manual work and consolidate the vendor evaluations into a few places. Instead of every single customer performing their own evaluations, these solutions perform the work. These solutions can evaluate hundreds of vendors at once instead of the inefficient spreadsheet questionnaire evaluations and countless vendor security meetings that many organizations perform today. Internal vendor evaluations will become a process of the past and replaced by vendor risk management solutions.
Vendor security should be evaluated before the contract is signed. Vendors have incentive to strengthen security if their customers are grading them as part of the product evaluation and contract negotiation. If they want the business, they better have good security.
This field continues to grow rapidly as vendor breaches spike in frequency. Vendor risk management solutions will help combat this issue and shine the spotlight on third-party security. Without a doubt, this is one of the top cybersecurity segments in 2021. Proper vendor evaluation is needed to increase security and reduce risk.
Vendor risk management is an incredibly complicated process. While some methods are much more efficient than others, there is no consensus on how all organizations accurately manage vendor risk. Every organization has a different maturity level in their third-party risk management program. We generally see that organizations measure vendor risk in five different levels, each with an increasing level of security:
Nothing at all
Contract verbiage only
Audit check only (SOC 2)
Spreadsheet Security Questionnaire
Vendor risk management platform
#1 Nothing at all
This group doesn’t measure vendor risk at all. Some are in the beginning phases of their security program and have not started thinking about their vendor risk. They’re still figuring out how to measure their own risk. Many do not have the in-house expertise to begin measuring vendor risk. There are a few in this group who incorrectly believe that by not knowing the actual risk of their vendors, they are not liable for any issues.
#2 Contract Verbiage Only
These organizations do not have time to measure the risk of their vendors, but they know something needs to be done. Instead of spending an incredible amount of time measuring vendor risk, they instead add verbiage to all vendor contracts to state that the vendor must add all necessary security measures to protect the customer data from unauthorized access. These organizations believe that they would at least be covered from a legal standpoint if a compromise were to occur at the vendor organization.
#3 Audit Check Only
In addition to adding security requirements within vendor contracts, some organizations also request completed audit reports from the vendors. These audit reports may be a SOC 2 Type 2, HITRUST, or countless other audits. The organization reviews the audit report for any glaring issues, puts a check in the “review box”, then archives the data.
#4 Spreadsheet Security Questionnaire
The infamous vendor spreadsheet security questionnaire. On the positive side, this is so easy to start. All an organization needs to do is open up their favorite spreadsheet application, put their company logo at the top, type out a list of security questions, and email it to all of their vendors. While this seems easy at first, everything afterwards gets complicated. After the vendor completes the questionnaire, the organization needs to determine risk level for the vendor. There are usually a number of internal meetings and then follow up questions for the vendor and additional requests for vendor documentation. Finally, after countless hours, a consensus is reached and the organization decides whether or not to use the vendor. Afterwards, sometimes the executive leadership within the organization will simply accept any risk level just to do business with the vendor. So many organizations have this spreadsheet process, that vendor are just used to this inefficient method of measuring risk and have teams dedicated to answering different questionnaires for every customer. After this entire process is complete, the customer knows the vendor risk for a single point in time and must decide whether to repeat this entire process a year later to get an up-to-date measurement of the vendor.
#5 Vendor Risk Management Platform
As the vendor risk management process begins consuming an immense number of internal resources, many organizations determine that it makes more financial sense to purchase a solution to manage vendor risk. These solutions vary greatly in cost, efficiency, and accuracy. At least the organization can now utilize their internal resources on other tasks.
Conclusion
There are five basic methods for measuring (or not measuring) vendor risk. The methods vary in efficiency and security. Even within these methods, the approaches and solutions vary in accuracy. At Stern Security, we have worked with companies at all stages and could not recommend any of these options or any existing vendor risk management platform to customers. That’s why we created Velocity – the world needed an efficient and accurate vendor risk management solution. The Velocity platform utilizes passive reconnaissance and precise questionnaires which are all verified by an actual human analyst for accuracy. When a vendor completes an assessment, they can share the results with any of their customers that utilize Velocity. Everyone gets time back in their day and security is increased with Velocity.
For a look at how Velocity helps companies manage their security posture and vendor risk:
Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy
Vendor Risk Management Accuracy is all that Matters!
Many organizations utilize spreadsheets to measure their internal security posture and vendor risk. We get it – spreadsheets are simple, convenient, and it comes with the office suite that you have on your computer. Unfortunately, it does not scale and gets out of hand quickly.
Let’s look at the internal side first. Many people have exported security frameworks and regulations to Excel and other spreadsheet applications. You can easily add a column to state whether or not your organization has a control in place. Once your organization starts using the document more, things start falling apart.
Measuring vendor risk with spreadsheet questionnaires is not any better.
Here are the top five issues:
Point in Time Review – It’s tough to show improvements over time with the spreadsheet unless you get very creative. Generally, the spreadsheet shows the security posture at only a single point in time.
Updates – When the frameworks, regulations, or vendor questionnaires change, a new spreadsheet must be developed and the work redone.
Multiple Users – Sharing the file amongst multiple people may be difficult with concerns over individuals making changes at the same time, version control, and storage of the file.
Macros – Many of the complex spreadsheets use macros which can lead to security issues as malware often utilize macros to execute.
Scale – The spreadsheets may work well for keeping track of a few risk items, but not your entire security posture or all of your vendors. It quickly becomes difficult to manage, annoying to share, upkeep is tedious, and it cannot show trends and improvements.
We’ve all been through the pains of using spreadsheets to measure vendor risk and that is one of the reasons why we built Velocity (https://www.velocitysec.com). To highlight these spreadsheet inefficiencies, we also created a “Spreadsheet Anonymous” support group video. Everyone that has been in this spreadsheet nightmare will enjoy this humorous video :-).
For a look at how Velocity helps companies manage their security posture and vendor risk:
Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy
If you ask any company if they are secure, most would say “Yes, of course we are!” This is especially true of vendors. No vendor ever says, “No, we’re not secure, but trust us with your data.” Most vendors are not being dishonest, but instead are overly optimistic about their vendor risk management accuracy, security posture and many do not have security staff to increase cybersecurity maturity.
Companies will often look for products to help with their vendor risk management programs. Vendor Management products are generally divided into two categories:
Self-Assessment Questionnaires: A questionnaire that the vendor fills out and once complete, it gives an automated score of the vendor’s posture.
Automated Assessments: A solution tool that scans the internet for publicly available details on the vendor in order to determine the security posture.
Both of these vendor management products prioritize getting as many vendors in their system as possible. They then claim they are the best solution because they have the most vendors. Unfortunately, this is meaningless because the results are inaccurate. There is the old adage, “Garbage in, garbage out.”
Vendors are unrealistically optimistic about their own security posture, so vendor management products utilizing self-assessment questionnaires give unrealistically optimistic conclusions. Not only are these vendors overly optimistic about their security, but many do not understand the security questions. You hear responses such as “Yes, we have a SOC 2 Audit. Here is the audit from AWS (Amazon Web Services), our cloud provider.” Unfortunately, the referenced SOC 2 Audit only applies to AWS’s own environment, not the application that the vendor may host in AWS. Instead, the vendor actually needs their own SOC 2 Audit for their own application. Another typical vendor response is “Yes, we’re secure because we host our application at AWS.” However, AWS claims zero responsibility for the security of the vendor’s application, as they only provide the platform to host it.
A vulnerability scan is not the same as a penetration test. Often vendors are asked if they have penetration tests performed on their solution and many will say “Yes, we have penetration tests performed every week!” However, they are referring to automated vulnerability scans, not comprehensive penetration testing that encompasses a very detailed manual and automated examination of the solution. If a vendor is filling out a questionnaire that asks them if they do penetration testing on their application, many will incorrectly say “Yes” even if they only do vulnerability scans.
Vendors will often say “Yes, we have a Security Officer” and will designate the most technically savvy person in the organization as their “Security Officer.” However, this person may not be a security professional at all. Sometimes this “Security Officer” is simply an IT support person or a project manager for the company. While this may vaguely provide a “check in the box” for compliance, it is not accurate and does not help the overall security posture of the organization.
Thus the vendor management solutions that rely on these self-assessment questionnaires often have inaccurate results that give their customers a false sense of security.
Automated Assessments are fast and give almost immediate scores that supposedly represent the security posture of the assessed organization. These products rely on scanning the internet for publicly available information in order to give a risk rating for a company. While these are very quick, professionals know that they are highly inaccurate. It is like looking at a house on Google maps and determining how secure it is. Sure, you may see a broken window in a grainy picture or a bad neighborhood from a crime map, but you don’t really know how secure the building is.
These products have numerous pitfalls. For example, consider a vendor offering visitors a public wireless network which is completely segmented on an air-gapped network separate from the corporate network. Automated products may see that network and say that it looks like an insecure network which reduces the security posture of the vendor even though this network has nothing to do with the company or its security. Another example is that some of these automated products will look at a company’s public website, find an issue on the site such as a weak SSL certificate, and claim that the vendor has a low security posture. However, the corporate website may have nothing to do with the product/device that the vendor sells.
The standard vendor management accuracy solution options are clearly broken. On one side of the spectrum, you have automated assessments that give fast results that prioritize speed and volume. On the other side of the spectrum, you have self-assessment questionnaires that prioritize convenience and volume. Both of these options produce highly inaccurate results because the data is not verified.
Velocity was created to fix this broken system. Velocity prioritizes Accuracy and Efficiency over volume. A team of security professionals verifies all vendor data in the system before we provide a verified security score and vendor report. Our system utilizes questionnaires and public reconnaissance in order to gather the data, but everything requires verification and supporting documentation before it gets a stamp of approval.
While the inaccurate vendor risk management products may provide a quick check in the box for compliance, they are not providing security and instead are giving customers a false sense of security with regard to their vendors. If we are going to flatten the breach curve and reduce the amount of vendor breaches, we need to accurately measure risk. The time has come to choose accuracy, security, and efficiency over volume and bare minimum compliance.
For a look at how Velocity helps companies manage their security posture and vendor risk:
Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy
