In this age of fast-paced business, companies are increasing their reliance on third-party vendors to assist with their day-to-day operations. Third-party vendor services help with data storage, IT network security, cloud-based software solutions, website hosting, and more.
Although a company may not experience a data breach of their own business network, if a third-party vendor they contracted with experiences a targeted data breach, the hiring company will ultimately experience the reputational and financial downfall. The famous data breach in 2013 of retail chain Target was one of the most publicized examples of a vendor compromise. The attack occurred because a third-party vendor that Target contracted with was compromised which allowed the hacker to penetrate the Target point-of-sale system which lead to the breach of millions of customers’ credit card numbers.
One must take a comprehensive look at what types of risks a hiring company may be enduring when it signs with a third-party service. Will the vendor increase your company’s cybersecurity posture? Is the third-party company compliant with laws and regulations? Working with a company that does not fully comply with regulations can result in your company being forced to pay substantial fines if a problem occurs. As we often see in major data breaches, like the Target breach, the third-party vendor isn’t often viewed as the bad guy; in fact, it’s the hiring business that experiences the reputational damage. Is reputational damage something that your company is willing to risk when deciding to work with a vendor?
To ensure the security of the hiring company when getting involved with a third-party service, there are a few questions that should be asked of the vendor prior to signing a contract that may help you make the decision that is best for the organization.
- Does the vendor offer the “right to audit”? Many organizations claim to be safest out there with security equal to that of the White House, but with claims like this, a company should be willing to show you the validity of those assertions. To best test this out, a good question to ask a potential vendor is if they offer the client the right to audit. The right to audit is when a client can come in and audit the security of the vendor themselves. If they deny this access, it’s a big red flag.
- Has the vendor ever become victim to a cyberattack or data breach? This is a question that should be asked of a vendor to determine if they are a potentially risky vendor. If they have fallen victim to a cyberattack, the next questions that should be asked is: what changes have been made to properly secure their services? What did the vendor learn about vulnerability risks, and what steps have been made to close those gaps?
- Will vulnerability tests be run regularly? Vulnerability testing is something that should be done regularly. The only types of vendors you want to be working with are ones that recognize that security is an ever-evolving process, and they should constantly be adapting to changes in the security environment.
- Is data encrypted? Data that is being sent across networks can fall into the hands of the wrong people. If you use a vendor, make sure that all of the data that they harbor is encrypted. Click here if you want to know more about the safest types of encryption for your data.
- Who owns the data? If you are transmitting data to a cloud-based service for storage or collection, it’s essential to know which company owns the data at the end of the day. The business of data is a multi-billion dollar business and although the data may not be as valuable to your company, the vendor may hold the right to sell the data you send to them. It’s best to have a contract specify that the data that the vendor collects/stores is owned solely by your company and only you can choose what to do with that data if you choose to terminate the contract with the vendor.
LibertyID is the leader in identity theft restoration, having restored the identities of tens of thousands of individuals without fail. If you retain personal information on your customers, now is the time to get data breach planning and a response program in place with our LibertyID for Small Business data breach preparation program. With LibertyID Enterprise you can now add value to existing products, services, or relationships by covering your customers, employees, or members with LibertyID’s fully managed identity theft restoration service—at a fraction of our retail price—with no enrollment and no file sharing. We have no direct communication with your group members–until they need us.
Call us now for a no obligation proposal at 844-44-LIBERTY (844) 445-4237