Name a firm that doesn't outsource its data. It's tough, right? And it's equally difficult to find a CIO who isn't concerned about cybersecurity. The fact is, outsourcing data poses security risks. The rise of technologies such as mobile, cloud and social — in addition to the shift toward an ever-connected, Internet-of-Things (IoT) world — has given cybercriminals a broader attack surface upon which to act. Privacy and data security have become the primary issues for firms that place their data in the hands of others.
It seems like everything went digital overnight. This shift comes with remarkable cost savings, convenience and flexibility, and as a result, firms of all sizes and in every industry are increasingly trusting their corporate data to third parties. Unfortunately, this shift doesn't always take into consideration the potential for third-party security incidents. It's up to firms to understand third-party security risks by performing their own due diligence on vendors and setting expectations on security during contract discussions.
Nothing can be 100 percent foolproof, but with a solid cybersecurity plan in place that incorporates vendor risk, a firm can position itself to deal with all types of incidents, attacks and their aftermaths.
Work Out the Details
Great vendor relationships that incorporate cybersecurity take work. Here are some tips to consider when thinking about incorporating vendors into your security plan:
- Create a risk classification. No two vendors are the same. Each one you work with will have a unique set of requirements and data access will vary among them. However, you must ensure that vendors trusted with high-risk duties and data are classified as high risk, not lumped in with a calculator app.
- Consider contract details. The most forward-thinking organizations are explicitly requiring an attestation of security from their vendors. This requirement can take the form of a software-vulnerability test report or a manual penetration test, and it must be met before the software purchase is finalized.
- Think about worst-case scenarios. IT leaders must define exactly what constitutes a security breach for their vendors and specify the expected disclosure time frame based on the severity of the breach. IT leaders cannot just assume a vendor will notify all customers of a breach in a timely manner; this must be part of the contract negotiations, and expectations must be clearly articulated.
- Changing teams. Consider your policy regarding the vendor life-cycle approach. Over time, your firm's risks will change — and, as a result, so will your vendors. Implement processes that enable you to determine how and when to evaluate your vendors' work and security practices in order to ensure that those "grandfathered in" do not have access to most the most critical systems without proper security due diligence.
Take the time and effort to be a part of the contract-negotiation process and play an active role in managing vendor security risks. As the threat landscape evolves with third-platform IT and the IoT, it's up to you and your team to place importance on due diligence regarding your firm's corporate data and who is handling it at all times. Above all, remember that a strong, established security plan always lends itself to better business.
Photo Source: Flickr