Trust doesn't cut it with third-party vendors

3rd party white paper cover photo.jpeg

Ask better questions, get better answers

How much do you know about your vendors? Not sure if it's enough. Download our guide to vetting third-party vendors, including a 30 question checklist of specific security questions to ask.

By Laura Haight

There’s almost no way you don’t know something about the Cambridge Analytica-Facebook snafu. It’s not really a data breach; much of the information was given away freely. The whole firestorm is a twisty-turny road into political machinations that would make Maciavelli proud.

As with so many of these stories, there are lessons we all can learn from them. Some of them are personal: being better stewards of your own sensitive data, not just hitting OK on every app and online service you think you might want to use, and, for heaven’s sake, stop doing the “which-’40s-movie-star-are-you?” quizzes.

But there’s a very big and important lesson that businesses – from the smallest mom and pop to the Fortune 500s – can learn from the epic fail of Facebook and its relationship with Cambridge Analytica.

Trust is not a control.

It may be years of investigations, hearings, and court proceedings before we unravel all the threads woven into this scandal. But three mistakes are at its essence:

  1. Users trusted Facebook to protect their data.

  2. Facebook trusted its policies would protect it.

  3. Cambridge Analytica violated that trust.

Businesses face similar challenges every day, although few probably think of their third-party vendors as potential risks to their organizations.

Think differently.

Bon Secours probably wishes it had. The healthcare giant lost control of sensitive patient information for 655,000 patients (about 220,000 of them in South Carolina and Kentucky) in April 2016. The exposed data was the result of a third-party vendor who left data exposure during a network upgrade.

Things were even worse for Target, which lost a massive 40 million credit card and personal data records in 2013 when a single user at a third-party HVAC vendor was hacked. The cost to Target? $18.5 million.

Here’s a slightly more relatable – and recent – one: The Leon County School District in Florida has a relationship with a virtual school vendor. That vendor has exposed the district’s student and personnel data twice: Once in 2013 by storing it on an insecure server; and just recently in a two-year long situation that became known just in February. Among the student information exposed were names, school ID numbers, medical and demographic information; email addresses and Social Security numbers of district personnel.

No matter how smart a business may be about security internally, third-party relationships often go unaddressed. And that lackadaisical approach can have serious and costly consequences.

Have you given an outside vendor an account on your internal network? You might do this if a company or individual is working on a project with you and requires access to some specific resources. It’s not an uncommon thing to do. But are you taking the very important step of determining the security of the vendor before opening this big door. No doubt, Target wishes it had done that.

How do you find out how secure a vendor is and, more importantly, how do you veritfy what they tell you?

You research, question, and document. Here are some areas were you may be able to tighten up your third-party relationships so you don’t get Facebooked.

Identify all third party vendors and partners (even the obvious one like Duke Energy) and determine what access they have been given and when it was granted. Situational access should be reviewed and removed once the project is completed, or the issue resolved. This may involve cloud-based services or application interfaces. It’s not always as obvious as access to your company network.

Develop a standard approach to vetting new and existing partners to assess the strength of their internal security. Some questions to ask: How is your IT managed? What intrusion detection processes do you use? Have you ever had a security breach? How long did it continue? How did it happen? How did you change procedures after the breach was discovered? Do you train your staff on cyber threats? Do you use penetration testing through external vendors to identify weaknesses?

Include security in your contracts. Do not assume just because a company is large or reputable that they “have security covered.” The number of big-name companies hacked, cracked and ransomed should be sufficient evidence of that. The details of any vendor’s access to your data need to be clearly established as well as your expectations for security of that data. For example, before any changes are made to a system where your data is linked or residing, you should be notified so you can be part of the discussion on security of the data during the system downtime or upgrade.

Monitoring the vendor relationship proactively like this can significantly mitigate your risk. If data is lost, the vendor may bear the financial responsibility. But the reputational damage is wholly on you. No one knows the name of the HVAC company that opened the gates to the Target hack. They just know that Target lost their info.

If you think asking these kinds of questions of potential vendors would be problematic (maybe they’ll be insulted), I offer this: No provider who can be trusted with your information will resist these provisions. If they do, move on.

More lessons learned