Cybersecurity Best Practices When Working With Third-Party Vendors

Cybersecurity Awareness Month is here to serve as a reminder in staying educated on the topic so that we, as an industry, can continue to protect every single real estate transaction. The Cloudstar ransomware attack was a devastating example of an advance on the entire infrastructure – a provider of cloud-IT solutions for many settlement services companies. 

Whereas individual companies were the original target before, attacks of this nature are a growing concern. According to the New York State Department of Financial Services, 2020 alone showed a 300 percent increase in ransomware attacks.

Despite their potential risk for such advances, the reward of having a cloud-based data service that grows with your company and increases productivity makes them something that every title business should consider. Cloud computing offers remote access to the most-used applications in the industry and helps manage data more efficiently. However, third-party vendors are not immune from being compromised, so title companies must reinforce their own cybersecurity for maximum protection.

As the SEC increases its efforts to tackle cyber enforcement, it’s becoming increasingly necessary to create even a simple strategy for cybersecurity – a company can’t rely on third-party vendors for everything. Some steps to take involve asking questions to your vendor, understanding their process for a potential attack, reading the fine details of your cyber liability insurance policy, and using the best practices for data storage.

What is a Cloud-Based Service?

During an episode of FNF Unplugged, host Chuck Cain asks Kevin Nincehelser of Premier One about cloud computing.

Premier One is an IT support company that offers a suite of services for businesses, such as cybersecurity, software support, technology support, and other cloud-based solutions. Kevin demystifies this modern data storage solution. He broke it down into two essential areas: the cloud and security.

Cloud technology works in tandem with an added layer of security to create an optimized solution to data management. At the end of the day, the cloud is just where the data and applications are accessible, but the information is still stored on a physical device, Kevin pointed out. While third-party vendors provide security to their customers, it’s still essential to have internal layers of cybersecurity.

Three questions to consider with cloud services:

• Where is the data?
• How is it being accessed?
• Who owns the equipment?

Why Use a Cloud-Based Service?

There are advantages and disadvantages to utilizing a cloud-based data management system for a business, but at the end of the day, it has to be what makes sense for a business’ needs. Cloud-based solutions make the most sense for companies growing rapidly because they can quickly grow with the business – probably the most significant benefit offered.

Another benefit is the detection of interruptions or suspicious activity on your servers – also known as Endpoint Detection and Response (EDR). Third-party cloud-based services can help monitor operations for any issues without manual action from employees, increasing security overall. Lastly, centralizing data and applications can help boost efficiency and communication between employees as well as other companies.

Prepare for the Unexpected

When working with a third-party vendor for IT support services, there are many parts of the process that a business should understand about the services rendered. It’s an unfortunate reality that a business’ needs might change or that an attack might affect the services offered – better to ask about these situations ahead of time.

Some areas to consider before working with a vendor:

• What is the exit plan if services are no longer needed?
• Does the company have a good reputation?
• What level of access is offered for the data?
• What is the process for crisis management?

Review Your Cyber Insurance Coverage

Additional cybersecurity insurance coverage may be needed when working with someone else’s servers or a third-party vendor. It really depends on a company’s needs and risk level.

Cyber liability insurance comes in two types:

• First-party (protects a company)
• Third-party (protects those affected by a company’s breach of security)

According to ALTA, insurance premiums for cyber coverage have increased by 25% in just the second quarter of 2021, resulting from “poor risk management protocols, lack of employee training, and more ransomware attacks.”

An insurance company should also be a primary point of contact if a company is a victim of a cybersecurity attack. Providing the insurance company with the information early on can guide a company through the other contact points involved in a post-attack plan.

Train Employees on Cybersecurity

One of the most significant areas that companies tend to fall behind in is employee awareness and training surrounding cybersecurity. Apart from the security offered through third-party vendors, a company’s employees are its biggest line of defense. When working with a vendor, daily users must know how to look for unusual activity and understand the recovery plan from an attack.

Cybersecurity training for a company’s employees can be integrated in a variety of ways. Initial training for new employees and continuing education for seasoned members of the company is an excellent starting point. Furthermore, internal communication surrounding updates with cybersecurity, continued conversations in meetings, and internal testing can also strengthen a cybersecurity strategy.

Follow Data Management Best Practices

We spoke with Andy Daniel, the VP of Information Security at PropLogix. He referenced several key areas when it comes to protecting data at a company.

Backup Your Data Strategically

Backing up data is extremely important when it comes to preventing a huge loss from a ransomware attack, but even more important is keeping multiple copies and having them off-site. Another line of defense is to encrypt the backed-up data to make it unreadable by outside sources so that there is no vulnerability.

Taking it one step further, those “data buckets,” as Andy called them, should not be connected – in other words, don’t put all your eggs in one basket. The way a ransomware attack propagates, as Andy put it, is that an endpoint – a physical device that is the “end” of a network – is compromised and the access allows the attack to “infect” the source of data. The data is then rendered useless or encrypted by the ransomware, making it inaccessible to a company.

Analyze and Test Your Recovery Procedure

Andy suggested that a company both analyzes and tests recovery procedures. This helps ensure that employees and any third-party vendors being used can work cohesively to quickly bring the business back online. There are two elemental parts of a data recovery procedure for most companies. A Recovery Point Objective (RPO) and a Recovery Time Objective (RTO). 

Recovery Point Objective

An RPO is used to identify the amount of time that can pass in an outage before the amount of data lost exceeds a business’ allowance. In a company where large quantities of data are processed every minute, the greater the hit will be in an outage. Backing up more frequently minimizes the impact of any sort of outage, whether related to a ransomware attack or not.

Recovery Time Objective

Second to the RPO, is a Recovery Time Objective, or RTO. An RTO is simply the duration of time that a company can handle an outage without normal business activities being seriously impacted. During this period, a company may have to re-enter data, either manually or through an automated process, but if the amount of downtime falls within the RTO, the business’ customers may not be affected.

It’s Time to Build a Strategy

Cybersecurity has been a topic of discussion for the past several years, but as time progresses, new advanced technologies are offered in the industry, and attackers become more sophisticated, the need for a clearly defined strategy grows.

The Cloudstar attack is just one of many attacks that reminds title companies to prepare their internal security as well – third-party vendors can’t do it alone. Title companies need to act now as they work with cloud IT service providers by understanding their cybersecurity insurance, using data backup best practices and training employees to be a part of the company’s protection.

For more insight on cybersecurity best practices, listen to our Title Talks episode with Tom Cronkright.

This content is provided for informational purposes only. PropLogix, LLC (PLX) is not a law firm; this content is not intended as legal advice and may not be relied upon as such. PLX makes no representations as to the accuracy, reliability, or completeness of this content. PLX may reference or incorporate information from third-party sources, upon which a citation or a website URL shall be provided for such source. PLX does not endorse any third party or its products or services. Any comments referencing or responding to this content may be removed in the sole discretion of PLX.