You’ve increased efforts to secure your company’s data. Extra safeguards, new systems and procedures, best practices. Good job so far!
What about the companies you’re sharing data with? How are they doing?
Third party data breaches are (still) on the rise
As you might expect, breaches continue to occur, and with greater frequency. However, giving this topic a higher priority among those who outsource sensitive data isn’t keeping up. Given all the headlines and buzz, this is hard to believe, but the numbers prove it out.
According to a Ponemon study, while 56% percent of respondents confirmed that their organizations had experienced a data breach caused by one of their vendors, less than half say that managing outsourced relationship risks is a priority. This dichotomy is amazing with all the news of third party data breaches. And no company is immune.
Everyone outsources something
When it comes to outsourcing, just about every company relies on external resources in one form or another. We take for granted the basics like hosting a website or managing email. These almost transparent services are normally provided by a traditional third party vendor. Other areas such as managing unemployment claims may require the expertise of a specialized third-party provider if, for example, a company is looking for ways to lower unemployment insurance costs.
In this and any situation where sensitive data is going to be shared with a third party, a more holistic view of systems and procedures is necessary to lessen your exposure and risk. Again referencing the Ponemon study, 36% of companies surveyed who avoided a third party data breach in the last 12 months consistently practiced these suggestions:
What to do when your data leaves the door
1. Vet the vendor
This is more than a business. You’re trusting people outside your organization – ones you maybe haven’t met or will ever meet – with something that represents an intangible value to your company, and your clients. So review carefully, with your legal counsel and other appropriate staff the company’s written standards and data procedures policies. And not just for general compliance; do their levels of security align with your requirements? Your philosophy?
Another small but key insight: ask for their most recent regular security assessment. If you get blank stares, that’s a yellow (maybe even red) caution flag. Companies need to conduct periodic assessments of their data security programs, and have them available for review.
What’s their disaster recovery plan? OK, no one wants to think about it, but a data breach disaster recovery plan – approved and reviewed at least annually with you – may be the best insurance policy your company can have against unknown, lurking exposure.
2. Do your vendors have vendors?
The firms that you’re outsourcing critical services to may utilize vendors as well. These third party companies may rely heavily upon fourth party vendors, and business relationships are like a chain that’s only as strong as its weakest link.
So ask your third party vendor for this fourth party info:
● A copy of their vendor management policy
● A complete list of all vendors and the products and/or services they provide
● Copies of their most recent review of each vendor, the due diligence involved, and the outcome
3. Make sure your own house is in order.
Where is your sensitive data, and who has access to it? Is this data segregated so, should a third party get hacked, your remaining (non-shared) files and records are safe?
Is your current data security program up to or exceeding best practices and standards in your industry? If you’re not sure, your team may not be, either. Now may be the time to seek outside assistance, before any data leaves the building.
Only provide the necessary data, and nothing else . All too often the business provides full access to a host of information that the vendor doesn’t need. This only invites opportunity for greater data exposure.
4. Be clear on roles and responsibilities.
Both at your company, and the vendor. Who will be on point for you? Make sure they have a wide vision to see all the working parts that can go into data sharing (see 5 below).
And when you provide third parties with Personally Identifiable Information (PII), be careful not to assume your contractual liability limits risk. All too often that’s not the case, while possibly creating a huge liability issue when it’s too late.
To minimize your exposure should a third party breach occur, Service Level Agreements (SLAs) spell out the consequences for vendors who don’t live up to the Agreement. Another ounce of prevention.
5. Involve your teams, early and often.
Each of your internal groups have a unique and critical responsibility in the partnerships with your vendors. Your legal department will have their own mandatories, while IT will be focused on areas such as encryption, and so on.
And don’t forget the c-suite. Senior executives need to be more than just aware of business relationships with third party vendors, but understand their strategic contribution to the company and the potential exposure that may come along.
Bottom line: make sure everyone across your company’s vendor landscape understands their position and critical role in securing outsourced data to third party vendors.
Ready for a helping hand?
Do you know where your data is? Our clients trust us with their outsourced unemployment claims, so our business demands that we practice the utmost in data security and theft protection. Call us at 816.524.5999 or send us a message if you, and your data, feel exposed.