This week, Comcast Cable received prestigious recognition. CSO named the Comcast 360° Vendor Risk Assurance Program a CSO50 Award winner for 2016. The annual CSO50 Awards recognizes 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership. A panel of judges that includes security leaders, industry experts, and academics, evaluated and scored the nominations. CSO editors then made the final decision based on the scoring process.
The Comcast 360° Vendor Risk Assurance Program is powered by our Bay Dynamics Vendor Risk Assurance solution. We launched the solution to help enterprise businesses minimize their risk created by third party vendors. Enterprises work with thousands of third party vendors at once. They connect to their network and access the company’s most sensitive information. Vendors are an extension of the enterprise team and play a critical role in their success. However, third party vendors, often unknowingly, are a threat vector. Their users do not always adhere to best security practices, putting their enterprise customers at risk of a breach. And, because the enterprise works with so many vendors, they often have little visibility into what the vendor’s users are doing. Which websites are they visiting? With whom do they typically correspond? What information do they access and why do they need it? How do they gain access to that information? The answers to those questions are often unknown to the enterprise creating a major security blind spot.
We launched our Vendor Risk Assurance solution to eliminate that blind spot and enable complete visibility between enterprises and the third party vendor users connected to their network. As part of our Risk Fabric® platform, our Vendor Risk Assurance solution collects information from the security tools enterprises already have in place, analyzes and correlates the data that pertains to their third party vendor users and provides the in-house IT and security team with an easy-to-understand picture of how users are behaving on their network. Simplifying the process even more, the platform gives the team a prioritized list of their top riskiest vendor users so that they know who they need to take action on first to eliminate the risk. The platform also automatically starts the remediation process notifying the appropriate individuals within the third party vendor so that they can take action immediately. The goal is to help enterprises empower their vendors, enabling them to govern their own behavior and reduce their overall risk without any additional resources required by the enterprise’s internal team.
Changing and minimizing risky behaviors among third party vendor users helps deter criminals from attacking in the first place but what about those who are already inside? Because our Vendor Risk Assurance solution can decipher normal vs. abnormal behavior for each third party vendor user, it can also detect if a user has been compromised. If we see multiple personalities coming from one third party vendor user, we know a criminal is most likely posing as that user. By discovering the abnormal behavior early, we can stop the criminal in his tracks, blocking him from going any deeper inside.
As we have seen from the string of breaches during the past few years, third party vendors continue to open the door to cybercriminals – and most of the time unintentionally. But the responsibility of strong security does not solely fall on the vendor’s shoulders. Enterprises must do more to engage with their vendors. They should know if a vendor’s user is doing something risky and help the vendor take action to remediate that risk. In the end both parties win when the criminals move onto easier targets.