.svg "BackstopSolutions_Corp_Original_FullColor_RTM (1)")
Internet trolls hide behind the anonymity of the web to make inflammatory comments in online communities with the intent of leaving emotional carnage in their wake. Fairy tale trolls hide under bridges and pose riddles to unsuspecting bridge-crossers, who must answer correctly or be eaten.
But what is a security troll?
A “security troll” is also a pernicious entity looking to take advantage of us. In particular, it’s a company or individual playing upon the heightened security and data privacy concerns of businesses by offering often sub-par “security assessment” services. You need to be on your guard against security trolls. If you aren’t, you will find yourself drained of time and money with nothing to show in return.
Any time a software vendor makes the news because of malware, ransomware, or any other type of breach, regulators urge businesses to make sure they are performing due diligence on their vendors to verify data security. This is entirely appropriate. As an institutional investor, you may rely on security assessment firms to support your due diligence process. That is also entirely appropriate, but only if they are legitimate. We do not want you to be exploited by bogus security trolls masquerading as qualified security assessors. Here are three ways to spot a security troll so you can wisely choose security assessment firms that will help your organization, not hinder it.
1. Security Trolls Don’t Ask for Authorization
The most important question you can ask a security assessor before hiring them is: “Do you have authorization from the vendors you are assessing to do this research?”
Why this question is critical: without authorization from your vendors to conduct research into their security, the only information a security assessor can get is what is commonly available through the most basic security tools. In security parlance, this is referred to as “reconnaissance.” These tools simply take a look around the outside of a vendor’s network – because the security troll has no way of getting inside the network to perform a comprehensive review of the security measures that are in place. Security trolls adore this approach since it is quick, easy, and cheap.
In contrast, qualified security assessors have authorization from your vendors to check into their security protocols. That means they are in contact with your vendors and have access to their networks to do rigorous security checks. They are not conducting reconnaissance; they are doing a hands-on evaluation.
You can think of this as the difference between someone driving past a store and taking a picture of the building for Google Maps versus someone going into the store and examining the inventory to provide a thorough critique. The person that went inside will give you more meaningful information about that business, and that’s what you want a security assessor to do too.
If your organization has already conducted due diligence on your vendors, be familiar with the security answers you have received. You do not want to pay an independent security assessor to validate facts about your vendors that you already have on file.
2. Security Trolls May Hide Behind the Fine Print
When you sign a contract with a security assessor, be mindful of what exactly you are being offered. Too many times, our clients have shown us reports from security trolls that contain wording along the lines of: “security-related analyses. . . are statements of opinion . . . and not statements of current or historical fact as to the safety of transacting with any entity, recommendations regarding decisions to do business, endorsements of the accuracy of any of the data or conclusions, or attempts to independently assess the security measures of any entity.”
While disclaimers like this may be standard in the security assessment space, they afford security assessors a lot of leeway to make mistakes, take shortcuts, and jump to conclusions without fear of repercussion. In other words, a report from a security assessor is only as strong as the security assessor who provides it.
3. Security Trolls May Make Assumptions that Waste Your Time
Finally, you want to choose a security assessor who will give you valid conclusions on which you can base vendor-related decisions. As already stated, that means they had better go deeper than what a “drive by” glimpse of your vendors might show.
For example, one of Backstop’s clients hired a security assessor that paid for cookie tracking information. The cookies traced back to the Backstop IP address showed that they came from unpatched Windows 7 computers, which prompted the security assessor to erroneously report that “Backstop does not patch its computers.” What the security assessor did not realize was that we run a guest network and our guests sometimes use their personal, unpatched devices. The cookies from the guest network come from the same IP address as those from the company computers.
In the above example, the security assessor made a determination without asking for authorization to conduct research or reaching out to us to inquire about their findings. Had they done so, we would have been able to easily explain the circumstances. The net result was that our client wasted time and energy getting clarification about an invalid assumption rather than receiving the benefit of conclusions founded upon well-researched facts.
The Moral of the Story: Get a Great ROI on a Security Assessment
You have a responsibility to your stakeholders to conduct due diligence on your vendors to confirm they have robust security in place. Security assessors can play a key role in fulfilling that responsibility. However, not all security assessors are created equal. A security troll can damage a vendor relationship by fostering distrust based upon invalid data and faulty assumptions.
Be conscientious in choosing a security assessor. Look for a company that obtains the necessary authorizations to conduct in-depth evaluations of your vendors, stands behind their report and recommendations, and draws actionable conclusions based upon facts. You will receive the independent confirmation you are looking for so you can assess and address any risks and vulnerabilities. Where everything is in good order, you will be able to proceed with confidence. And that is a great return on your investment!
