Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.
Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.
The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices?
I’ve led over 300 contractor information security and privacy assessments. I’ve see a lot of crazy things, risky things, and downright incredibly stupid things. I’ve also seen a lot of common information security and privacy problems that contractors bring to those hiring them.
As a start to your contractor information security and privacy management activities, here are five things to check on when contracting another company to perform services on your behalf, especially those involving personal information.
- Documented information security and privacy policies and procedures need to exist. And not only exist, the employees also need to know they exist, and they need to be actually following them. The policies and procedures also need to be kept updated to address changes in the business environment, risk environment and to meet changes in legal requirements. A large portion of the contractors I’ve assessed said they had policies and procedures, but when I asked to see them they’ve replied something to the effect of, “Oh, they are undocumented but understood policies. We are a small company; we share our policies by word of mouth.”
You need to make sure they have documented policies and procedures. If it isn't written, it isn't true.
- They need to understand their obligations to appropriately safeguard personal information. In the past year I’ve actually had over a dozen contractors state that they did not believe that they needed to safeguard personal information if that information is discoverable online. What blockheads are continuing to spread this horrible advice? Worse yet, some of these contractors with this belief were even selling the personal information to create another revenue path.
You need to make sure your contractors understand that they must appropriately secure, and not share, the personal information you’ve entrusted to them.
- They need to provide security awareness training. Many of the activities contractors say they do for training are not training. One contractor I assessed said their training was the message they sent to their employees telling them to read the information security policies; this is *not* training. Another contractor copied, verbatim, the entire HIPAA regulatory text and pasted into ~300 PowerPoint slides, and then told their workers to “view” the “training” slides. This is not training. Information security and privacy training, and awareness communications, must actually provide educational value!
You need to make sure your contractors provide regular information security and privacy training to their workers, and regularly send awareness reminders.
- They don’t perform risk assessments. A large percentage of the contractors I’ve assessed, around 25 – 30 percent, had never performed a risk assessment. An additional percentage, also around 25 – 30 percent, had performed a risk assessment once, and that was it. Some of those solitary risk assessments were performed over 5, 10, and even one was 17, years ago. Yes, these two types of contractors represent around half of the contractors. You cannot effectively secure information if you do not know where your risks are located, and what kind of risks you have. These types of contractors are leaving your organization vulnerable.
You need to make sure your contractors have a risk management process in place.
- They don’t use basic security tools. Encryption, audit logs, mobile computing security tool, patch management, and other basics are not used by many contractors; even contractors providing IT services. Over the years I’ve found a large majority of contractors did not use encryption on their web sites, even for forms where they were collecting personal information on behalf of their client who contracted them. They also often do not have their mobile devices encrypted, and most also don’t encrypt sensitive information they send using emails and text messages. There is also a significant portion not logging access to personal information, and not logging major security events. And surprisingly, many still do not use comprehensive anti-malware tools or firewalls on personal devices. Even if such basic security was required within their SLA, that requirement was often not communicated to those who wound need to implement such tools.
Make sure your contractors have basic, expected security tools implemented, beyond just including within the contract and/or SLA. Your contractors need to use basic security tools to protect the information you’ve entrusted to them.
You Cannot Outsource Your Responsibility
This is also a very important thing to know: Generally, a hold harmless clause in the contract you use to try and relieve all responsibility for the bad things that may happen that are caused by the contractor will *not* alleviate you of all responsibility and accountability for breaches and other bad things that may occur as a result of their vendors’ actions, vulnerabilities, or unaddressed threats. I’ve heard this from well over half of the organizations I’ve spoken with and done projects for in the past five or so years.
I am still hearing way too many organizations state something very similar to: “We outsourced so we wouldn’t be liable for the security of the information when it is under the care of the outsourced entity.” It simply does not work that way, folks; for many reasons. But bottom line, your responsibility for securing and using information appropriately follows that information to whomever you have contracted.
Organizations will be judged by the company they keep … the businesses they contract. If organizations don’t want to become proactive about their oversight of those contracted entities, I have a question for them: Are they ready to pay for the security and privacy sins of their contracted entities?
Want to know more about how to effectively create a contractor information security and privacy oversight management process or program? On May 28 I am giving a free webinar for ISACA: An Effective Framework for Third-party Information Security and Privacy Oversight & Risk Management. Consider attending. It will be recorded and available for future viewing.
PS: If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is, and be pleasantly surprised.
This was cross posted from the Privacy Professor Blog