Target. Jimmy John's. Goodwill. Home Depot. These were just some of the largest and most publicized companies that experienced retail data breaches last year. Unfortunately, they aren't the only ones, and even though they are all different kinds of businesses, they all had one thing in common: their breaches linked back to third-party vendors. A 2014 report by BitSight, a company that rates how companies manage their security risk, revealed that fully one-third of retail breaches originated with third-party vulnerabilities.
"In our increasingly interconnected workplace, companies must consider not only their own system integrity but also the system integrity of any other party with access to their computer systems," says Steve Durbin, managing director of the Information Security Forum. "Hackers will seek the weakest link, and that link is often a third-party provider. A company's robust internal practices and policies may be futile if that company's vendors are not secure."
Durbin points out that caution shouldn't be confined to manufacturing or distribution partners. In Target's case, for example, the breach originated with an HVAC service provider. Your company's professional services suppliers, lawyers, and accountants are all third-party providers--often sharing access to your most valuable information--and it's crucial to do some research before hiring one. Here are some expert tips for making the right choice.
Vet Your Vendors
Look into their security practices. Gregg Landers and Brenda Piazza, of the professional services firm CBIZ/Mayer Hoffman McCann, offered these positive signs of a security-conscious vendor:
- They have comprehensive security policies and disaster recovery plans in place, and review and update them regularly. (You should also ask for copies for your records.)
- They regularly perform data back-ups and recoveries, and have a redundancy of back-up servers to avoid service interruptions if a piece of hardware fails.
- They regularly perform internal security audits.
- They perform thorough background checks on employees with access to your data.
Pay them a visit. "Have your IT and compliance teams do a site visit and talk to the vendor's operational team that will be handling your data," advises Piazza. "Consider making the site visit quarterly or annual, and have an agenda to discuss things such as any security events since the last visit; any internal or external audit results since the last visit; and any planned or upcoming changes."
Prepare On Your End
Know what—and where—your sensitive data is. "Businesses should first understand what sensitive data they have and where on their system they store that data," Durbin says. "Sensitive data should be segregated and protected, so that even if [someone] hacks into your system through a third party vendor, the hacker doesn't have full access to all of your data."
Have a strong internal security policy. "Companies need to make sure they have a comprehensive security strategy in place. Small businesses can't assume they are immune to attacks; in fact, are facing the same attacks larger businesses face," says Stephen Pao of Barracuda Networks, which provides content security, application delivery, and data storage and protection solutions. "It's important to be sure all threat vectors are secure. This means not having just one unified threat management system in place, but rather dedicated solutions—application firewalls, real-time malware protection, granular email security and management, web content security, web application security, and policy-based authentication and network access control solutions--to help keep the company safe."
Know your rights and responsibilities—and your provider's. It's critical to understand the ins and outs of your service-level agreements (SLAs), including the ramifications for providers and vendors who fail to meet them. "Always understand legal obligations in the contract regarding the security, confidentiality, ownership, and treatment of the data," Piazza says. It's also important to be clear on what constitutes a data breach, as well as the requirements and practices on both ends in the event of a breach.
There's no way to completely eliminate the risk when you're granting access to sensitive data to a third party. But with some extra attention to detail—both on your end and your vendor's—the risk can be manageable.