As we recently saw in SA with Nedbank’s 3rd party breach, companies are not immune to 3rd party breaches. This breach highlights the fact that while the bank itself may be the target of an attack, the actual company attacked is different. This is partly due to the fact that banks often have very good protection programmes in place, whereas smaller providers may not have the same resources to dedicate to data protection.
What are the risks?
Vendor risk management is a vital aspect of protecting your business’s data, and should come to the fore when you are looking at taking on a new service provider. Some of the risks that you should be cognizant of are:
Insufficient security controls
Simply put, the company you’re outsourcing to does not put the same controls in place that you do, and thereby are not protecting the data as carefully as you are. Given how there are liabilities in the chain of data, you need to be aware of what your vendors are putting in place!
Use of unknown subcontractors
Companies often outsource without informing their own clients. This is a danger for precisely the reason detailed above. All you need is for your supplier to subcontract to an individual or company that feels they are too small to worry about security, and you’ve got a massive hole in your defences.
Sharing of credentials
When you supply a processor of data with access to your network or systems, it’s a harsh reality that the credentials you provide may ultimately be shared between various staff members at the processor – depending on who is in charge of which function. Even worse, these credentials often end up in Excel spreadsheets on a local network – something which should send a chill down any Information Officer’s spine.
Insecure storage of data at rest
A lot of companies place a great focus on securing data that’s currently in use, but can neglect to protect data that has been archived or placed in some sort of long term storage. Data at rest needs to be secured just as well as live data.
What can you do?
There are a number of things you can do to mitigate the risks I have listed above.
The right to audit
As a controller in a controller-processor relationship, you can and should be auditing your service providers. You should have a risk assessment that details the aspects above (and more) which requires the service provider to give you assurance that they are looking after data.
Limit access to internal networks
It may be a little more work, but having named and restricted users for your providers (if you absolutely HAVE to give them access) is critical. Ideally, you do not want direct access into your network, but if there is access, you want to be sure who is performing what function on your network – as opposed to a blanket VPN connection or API credential.
Draft and enforce Data Processing Agreements
It is absolutely vital to have proper contractual agreements in place with your service providers that place obligations on the providers to protect their networks, allow you to audit and evaluate, and clearly define what is acceptable and unacceptable in terms of subcontracting. Data Processing Agreements (DPAs) are often overlooked in the process of “getting things done”, at the detriment to future accountability and responsibility.
Penetration and vulnerability testing
The item that’s always too expensive until you’ve had an incident. Penetration testing is seen as a grudge purchase that costs quite a bit of money (often in excess of R50,000), but you need to put things into perspective as to how much higher the cost will be if personal data is breached from your third party. It is a responsible exercise to test the security of your providers and work together in securing any holes in the security posture of their environment.
How can Ross G Saunders Consulting help?
While these risks are valid, they are nowhere near a comprehensive list of the risks in a third-party relationship. Ross G Saunders Consulting can assist in drafting the required documents, advising on security posture, and providing legal and technical services such as contract review and penetration tests. To find out more about how I can assist you, why not book a no-obligation exploratory call in my calendar below.