Organizations are beginning to understand the consequences of a data breach or a phishing attack and the negative impact they can really have. But what are the security risks for third parties? There are always organizations that have access to (part of) the company data -- from accounting firms to health benefits organizations, among many others. Perhaps it concerns data from employees, customers or patients; but in some cases, strategic organizational information may also be held by a third party.
More Third Parties Mean More Data Breaches
Research from the Ponemon Institute and Opus (a company focused on compliance solutions) among more than a thousand IT professionals from the United States and the United Kingdom shows that 61 percent of the companies in 2018 experienced a data breach through a third party. In 2016 that was 49 percent. The percentage is therefore rising. According to the researchers, this is due to the popularity of outsourcing IT services and the huge increase in the number of third parties that organizations have to deal with.
Working with third parties could open up more opportunities for greater risks like data breaches. That’s why it’s so important for organizations to ask the right questions and to enforce stringent security policies before they agree to work with any third party.
Top Six Questions to Ask
For organizations that do not need an official and may not (yet) have the means to perform extensive audits of third parties, the following six questions should be asked:
- Does this party need access to our systems?
- What data do we share with this party?
- Where is the data stored by them, and for how long?
- Which third parties do they work with?
- What measures do they take to secure the data?
- What kind of proof can they provide that the data is safe with them?
These six questions paint a good picture of where a third party is concerned about data. If a party cannot provide proof that the organization’s data is safe with them, it’s better to work with another organization.
It is very important to keep the number of data breaches as low as possible; not only because of the importance of individual organizations, but also because of the safety of the general public. The bad guys are out to exploit the vulnerabilities of your organization, and they use all available resources. Regardless of whether this is within the organization or within that of your suppliers and partners.
Many data breaches could have been prevented by being more aware of mitigating the vulnerabilities of the organization. Think not only of technical systems within your organization, but also of the quality of processes and the awareness of employees; both within the organization and with your suppliers and partners.
One of the simplest and most effective ways to develop awareness is the use of security awareness training. By teaching employees what dangers and challenges there are with regard to data breaches, and training them how to deal with them, you increase the overall level of security and resilience of the organization.
Also, involve and evaluate your third parties. Managing third parties can be challenging, but using a vendor risk management platform can ensure a consistent evaluation life cycle. As part of risk assessment of your vendors, ensure they provide their staff with the same training and have other lines of defense to protect your data (as well as providing evidence addressing the above questions). Protecting your data and reducing the risk of a security incident is top priority when leveraging third parties.
*Original article at Emerce: https://www.emerce.nl/achtergrond/zes-beveiligingsvragen-die-iedere-third-party-zou-moeten-stellen