Working with suppliers, partners, and third-party vendors has never been riskier to your bottom line. Approximately 63 percent of data breaches come from access outside a company, according to a recent survey. Some of the most devastating cyber hacks in recent years have occurred because of vendors working with big companies. This means it is not the fault of media companies like many in the media portray.
The Reason More Data Breaches Occur because of Third-Party Vendors.
The volume of third-party contractors may be a factor be a factor in the number of data breaches. More and more big and small businesses are turning to contractors to save on costs associated with hiring full-time employees. They also turn to third-party vendors to fill specific niches such as data analysis or temporary employees. This causes companies to become trust that their data will remain safe. As you hire more and more third-party vendors, have do you ensure data from your customers and clients remain safe?
In 2015, Experian, a credit-processing agency, and other high-profile third-party vendors experienced data breaches. This shows just one data breach from a vendor, partner or supplier can damage your business. For instance, Experian’s database was hacked by cybercriminals. However, it was T-Mobile’s data they took. They confiscated personal data of T-Mobile’s 15 million cellular service customers.
T-Mobile’s CEO was “incredibly angry” about the data breach. He had a right to be angry because Experian didn’t install security patches. Whose job was it to secure data? Many class-action lawsuits are pending against T-Mobile and Experian. This means they are being equally held responsible for the breach.
Many regulators agree that the responsibility of securing and tracking collected, processed, stored and shared data is on companies. As of 2017, New York financial firms are now required to verify vendors’ cybersecurity measures are adequately secure. This is according to 23NYCRR 500.
Trust, but Verify Vendors, Partners, and Supplies
A handshake or contract is no longer the way to do business in the world of data breaches. Today, it about trusting and verifying the trustworthiness of contractors. It also requires verifying that documentation too.
Audits and assessments are the most common ways of vendor verification. Many businesses assessment is good enough. It can’t be good enough. To get the most out of the verification process, keep it simple.
Ask yourself the right questions before creating a verification assessment such as:
- Does the contractor collect, process or store employee or customer data on your behalf?
- What does the contractor do on your behalf?
- What access does the contractor have to our systems, data, and networks?
- How does a contractor ensure compliance and security measures are being followed by its subcontractors?
Each set of questions you ask yourself should be unique to each vendor you’re assessing. The questions should take into consideration the nature of your relationship with the contractor and what you believe is important to the assessment.
The Assessment is about Quality, not Quantity
It’s always important to take a risk-based approach when carefully crafting your survey. The more concise the assessment questions, the more emphasis on understanding how each vendor uses your data. This means you are better able to identify the security risks with each vendor.
For some vendors, an audit is required. Vendor audits are becoming more popular. One disadvantage is that they are a hassle. This drawback can be remedied. Find out if your vendor has SOC-2 or a comparable certification. This will put to rest many of the concerns you have and focus on your company.
If you’re sharing highly sensitive information, conduct an audit. If you spot one or two red flags in the assessment, conduct an audit. When conducting an audit, look for threats and concerns to your company. Look to see how each vendor does or doesn’t protect your company.
Trust, but Verify is the New Normal in Business
It is no longer OK to trust your vendors are protecting your client and customer data. Trusting them but verifying that trust is now the rule. Cybercriminals are upping their efforts to hack databases. They hope third-party vendors’ systems are less secure than your company’s system. That’s why you can have the strongest security, but your customers and clients are still data breach victims.
Don’t let your customers and clients become data breach victims. Don’t take the chance that your third-party vendors are compliant and secure. Always trust but verify their security and compliance.
Data is the new currency for cybercriminals. In addition, it causes your business to incur fines, reputation damage and penalties. The opinion of who is responsible for the data breach is changing. Now, you are responsible for protecting your company’s data not your third-party vendor. That’s why you must trust your vendors only after they’ve been verify.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.