Who’s Really Responsible For Third-Party Vendor Breaches?

Increasingly, suppliers, business partners, and third-party vendors are exposing you to more reputational and bottom line risks than ever before. Recent surveys provide a grim picture. As much as 63 percent of breaches are from third-party access. In fact, some of the shattering systems attacks have not been on the large corporations, but instead, their vendors.

The significant number of contractors in the current business context may be an element. You see, many enterprises are turning to contractors to reduce costs of operations and fill a specific need. So how do you ensure that your business data is safe as the circle of trust expands?

Data breaches of high-profile vendors, such as the 2015 Experian hack, a credit-processing agency, best underscores what is likely to happen to your firm if one of the vendors develops a security issue. Even though the hack was on Experian, the targeted information belonged to T-Mobile. The hackers stole millions of T-Mobile’s service customer’s data.

T-Mobile’s CEO did not hide his anger towards Experian, and deservedly so. You see, Experian had ignored to install the necessary security patches. But whose responsibility was it to secure the client’s data? Well, class lawsuits against both firms are pending.

Regulators are in consensus on the issue. According to The European Union’s General Data Protection Regulation (GDPR), the responsibility is on businesses to safeguard and keep track of the data collected, processed, stored and transmitted.  Additionally, the regulations stipulate that enterprises must inform customers, as well as, the European Supervisory Authority immediately after they discover a breach.

Financial regulators have always held banks responsible for any third-party problems. For example, in New York, the new regulation effective March 1st, 1997 places the onus on financial establishments to ensure vendors’ cybersecurity measures are sufficient.

Trust and Verify

In recent times, a handshake and a nod are not sufficient to earn trust. It’s imperative you verify and document your vendor’s trustworthiness. But how do you do this?

Assessments and Audits: these are among the most common methods of verifying trustworthiness. For a significant number of businesses, an evaluation will suffice.

However, the scope of the assessment sometimes ends up creating a fog as to the intention. As a result, it is crucial to keep it simple with the questionnaire. Create a meaningful by asking yourself the following.

  • What does the vendor do for us?
  • Does the vendor gather, process and store personal data on our behalf?
  • What kind of access does the vendor hold to our systems, networks, and data?
  • What are my main security fears when it comes to the specific vendor?
  • How do I determine the vendor is protecting the information consistent with our security standards?
  • What occurs to the data shared with the vendor?
  • Is the vendor able to provide the necessary certifications indicating compliance?
  • Who are the third-parties the vendor is in business with?
  • In what way does the vendor warrant security and compliance with subcontractors and third-parties?

Depending on the nature of the association and anything else you may need to know from the vendor, make sure each set of the questionnaire is unique.

Quality over Quantity

Survey creation should take a risk-based approach and be done carefully. Remember that its individuals that will be analyzing the results and possible distractions are likely to make you miss something. A brief questionnaire aimed at comprehending how the vendor will be using the data will be more likely to highlight possible security risks.

You can also audit the vendor. In fact, vendor audits are a growing trend, but they are not as easy as they sound. To make the process easier for you, determine whether the vendor has SOC-2 or other similar documentation. If so, then you can rest assured you are on the right track and can concentrate on what matters to your enterprise.

Situations that will prompt an audit include cases, where data shared, is highly sensitive, or you come across red flags during the survey process. As mentioned, keep the questions concise and focused. As opposed to a list-based approach, opt for the risk-based one, considering threats and concerns to your business. Determine the vendor’s commitment to protecting your business.

It is now increasingly critical to focus the security assessment and monitoring on third-parties. Yes, we cannot do without these third-parties, but that does not mean you throw all caution out of the window. Cybercriminals are likely to target these third-party firms hoping that their systems are not as robust as yours. Don’t be lax, instead, verify before you can trust.

Data is now the most important currency. A simple breach can be the end for your business as it would cost phenomenal reputational damage, as well as, fines and penalties. Mostly, the buck stops with you, not your vendors when it comes to protecting your information.

This article has been written by Ken Lynch, an enterprise software startup veteran and founder of ReciprocityLabs.com