Businesses of all types and sizes today must navigate a complex matrix of vendors and partners. In many cases, there is frequent sharing of data, including sensitive and proprietary information, that could be problematic if hacked or stolen.
The advent of new technologies, including the Internet of Things, automation and cloud systems, make for the collection and sharing of information more accessible than ever before. However, the increased volume, accessibility and transfer of data creates problems and added risk for companies. To help companies protect information and minimize the risk of data theft, here are 6 answers to common third-party security questions.
1. How Can I Assess My Company’s Data Security?
The place to start is with an internal audit of your system. Which vendors have access to which data? How are they connecting to your networks and what can they access?
It’s smart to map your third-party partners, understanding who they are, how they access data and what data they can access. Make sure third parties only can reach information that is necessary. Often these audits can detect access that was given long ago to third parties that no longer should or need to have access.
2. What Can I Do to Assess My Third-Party Partners?
There are basic things you can do to ensure that third parties have the right safeguards in place when using your data. Asking for copies of their data security policies and audit results is an excellent place to start. If there are practices or results of concern, you can ask for more details. Some companies require their vendors to undergo a thorough security audit with detailed questionnaires or independent verification of processes and systems.
The practice is not just good business sense. Many new regulatory mandates, including the European Union’s General Data Protection Regulation (GDPR), require companies to ensure that third-party vendors are also compliant with the appropriate requirements.
3. What Foundation Do I Need to Data Security and Third Parties?
Be sure your organization has clear policies and procedures that govern data access and security related to third parties. Policies should be evaluated regularly to reflect new technologies or practices.
4. Who Is Responsible for Data Security?
Often, risk ownership can be a gray area as companies exchange data, update it and enter it into each other’s systems. A risk assessment matrix should be created that defines and tracks data within your corporate ecosystem. The matrix should include:
- Vendors, partners, customers and subcontractors throughout your supply chain
- Classifications of each third party based on how they interact with the organization
- Risk types mapped to each third party
- Risk levels assigned to each vendors’ assigned risk types
This exercise allows you to build a comprehensive risk assessment model to inform decisions, policies and access.
5. What Technologies Can I Use to Help With Security?
Ultimately, control rests with your organization. You can control the parties with access, the types of access, and the assets that can be accessed. Here are some tools to deploy to assist with that control:
- Encryption is effective in protecting data stored in your systems and transmitted to other parties. Encryption need not be applied to everything, but high-risk information merits investment in encryption tools.
- Two-factor authentication is another consideration. If you use multi-factor verification tools for internal access, you most certainly should do the same for external access.
- Risk-based authentication goes a step further. Rule-based access, such as only allowing access from a particular domain, can be incorporated into your security plan. If an access request does not meet the pre-defined rules, additional authentication layers are applied.
- Monitoring networks is a wise move. Monitoring what is accessed and by whom allows for a better understanding of information transfer. Firewalls that inspect data packets and issue alerts when unauthorized data are in play help prevent unwanted extrusion.
6. What Documentation Does My Company Need?
When you’ve determined your guidelines, policies and rules, be sure to put it in writing. Make it a part of your new contracts and insist on amendments to any existing agreements with third parties. Contractual guidelines help to protect companies from litigation as more plaintiffs go after multiple parties in the case of a data breach.
Not all contracts need to be the same when it comes to data access provisions, although it is good practice to establish a baseline of minimum requirements in all applicable third-party agreements.
With the growing threat of cyber attacks, an active approach to data security is a way for organizations to mitigate risk and ensure that data stay in the right hands.