Cyberattacks have become more frequent in recent years, with some particularly notable occurrences, such as attacks on Sony Pictures, Target, Dow Jones, Ashley Madison, Home Depot, JPMorgan Chase, and the Democratic National Committee. How hackers gained access varies case by case, but in some instances, the culprit was a compromised vendor system.
“No company is immune to cyberattacks,” Dow Jones chief executive William Lewis admitted after an attack on his company. There are ways to make it harder for hackers to gain access, but it’s going to require that everyone step up their game. That’s the reason cybersecurity experts from nine tech companies have banded together to create the Vendor Security Alliance (VSA), a coalition determined to establish cybersecurity standards that businesses can use to assess how secure third-party providers really are.
Started by Uber’s head of compliance, Ken Baylor, VSA seeks to offer companies peace of mind when it comes to working with vendors by ensuring that those providers’ cybersecurity practices are as strong as they need to be to protect everyone. Alongside Uber, founding members of this group include Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb.
“There needs to be standards because there have been problems with breaches, and some are very large,” Baylor said. “Every company has their own way to do due diligence — some are security-focused, but others aren’t.”
Every year, the group will release a questionnaire that any business can pass along to their vendors. This document will dig deep into the vendor’s security practices, inquiring about policies around data protection and access controls, how data is defined and whether it is allowed in a production environment, what type of encryption is used, how the vendor will respond to a breach or to threat intelligence, what plans are in place around reactive security, and what the vendor’s software development lifecycle is.
Once this survey is completed, it’s reviewed by an independent third-party auditor — VSA has yet to select a specific firm — that specializes in information security. Vendors will be assigned a grade based on their answers, a score the coalition hopes will be as impactful as the health rating restaurants receive after an inspection. The expectation is that businesses will see the grade and be proactive in choosing the ones with the best security practices in place.
Vendors can also use their VSA-certified score to overcome procurement obstacles, avoiding additional audits by potential clients. “It really rewards vendors that have really good cybersecurity practices,” Baylor explained. “This has been a differentiator for years, but no one has been able to go and measure it.”
Over time, it’s likely the organization will compile an annual report detailing the preparedness of vendors in the area of cybersecurity.
Baylor shared that membership in VSA is available. There will be a fee to join, but the amount has yet to be determined. Companies that participate won’t just sit back and put a score on their resume, however. Instead, they’ll be asked to participate and to use the questionnaire as the default auditing system for all of their vendors. “We want active participation,” Baylor said. “The real goal is about making a strong change and [making] the internet safer for everyone.” All members will be asked to contribute to making the questionnaire better each year.
Strong cybersecurity benefits everyone, and that’s why the questionnaire is being made widely available. Non-members can use it to audit their vendors, though the independent verification will only be offered to those participating in VSA.
This isn’t an organization formed by individuals or security officers — VSA has the backing of entire companies. When Baylor started it, he sought out fast-growing firms that were adept at implementing change and had good security in place. He reached out to eight, hoping to lock down five. To his surprise, all of them joined and have actively contributed to the cause.
“The work that the VSA is doing is really important,” Square’s risk and security lead, Sam Quigley, told VentureBeat. “Until now, there hasn’t been a single, agreed-upon way to make sure vendors secure their data, networks, and infrastructure. I’m excited that Square can help chart a new course and be a part of the solution—higher standards will make the internet a safer place for everyone.”
It would be remiss to not mention that there are numerous security groups and organizations all trying to find the right answer to protecting infrastructure and data. VSA is targeting one potential vulnerability — how do you secure your company when it has multiple vendors integrated into different facets of your business? Soon, instead of conducting individual audits of each vendor, which can be time-consuming and produce inconsistent results, businesses can use a standardized questionnaire to ensure cybersecurity protocols are in place.
Although VSA has launched today, Baylor said the first-ever questionnaire will be unveiled publicly starting in October.