[BreachExchange] Who’s Really Responsible For Third-Party Vendor Breaches?

[Destry Winant]

https://www.technotification.com/2018/08/responsibity-third-party-vendor-breaches.html

Increasingly, suppliers, business partners, and third-party vendors
are exposing you to more reputational and bottom line risks than ever
before. Recent surveys provide a grim picture. As much as 63 percent
of breaches are from third-party access. In fact, some of the
shattering systems attacks have not been on the large corporations,
but instead, their vendors.

The significant number of contractors in the current business context
may be an element. You see, many enterprises are turning to
contractors to reduce costs of operations and fill a specific need. So
how do you ensure that your business data is safe as the circle of
trust expands?

Data breaches of high-profile vendors, such as the 2015 Experian hack,
a credit-processing agency, best underscores what is likely to happen
to your firm if one of the vendors develops a security issue. Even
though the hack was on Experian, the targeted information belonged to
T-Mobile. The hackers stole millions of T-Mobile’s service customer’s
data.

T-Mobile’s CEO did not hide his anger towards Experian, and deservedly
so. You see, Experian had ignored to install the necessary security
patches. But whose responsibility was it to secure the client’s data?
Well, class lawsuits against both firms are pending.

Regulators are in consensus on the issue. According to The European
Union’s General Data Protection Regulation (GDPR), the responsibility
is on businesses to safeguard and keep track of the data collected,
processed, stored and transmitted.  Additionally, the regulations
stipulate that enterprises must inform customers, as well as, the
European Supervisory Authority immediately after they discover a
breach.

Financial regulators have always held banks responsible for any
third-party problems. For example, in New York, the new regulation
effective March 1st, 1997 places the onus on financial establishments
to ensure vendors’ cybersecurity measures are sufficient.

Trust And Verify

In recent times, a handshake and a nod are not sufficient to earn
trust. It’s imperative you verify and document your vendor’s
trustworthiness. But how do you do this?

Assessments and Audits: these are among the most common methods of
verifying trustworthiness. For a significant number of businesses, an
evaluation will suffice.

However, the scope of the assessment sometimes ends up creating a fog
as to the intention. As a result, it is crucial to keep it simple with
the questionnaire. Create a meaningful by asking yourself the
following.

- What does the vendor do for us?
- Does the vendor gather, process and store personal data on our behalf?
- What kind of access does the vendor hold to our systems, networks, and data?
- What are my main security fears when it comes to the specific vendor?
- How do I determine the vendor is protecting the information
consistent with our security standards?
- What occurs to the data shared with the vendor?
- Is the vendor able to provide the necessary certifications
indicating compliance?
-  Who are the third-parties the vendor is in business with?
- In what way does the vendor warrant security and compliance with
subcontractors and third-parties?

Depending on the nature of the association and anything else you may
need to know from the vendor, make sure each set of the questionnaire
is unique.

Quality Over Quantity

Survey creation should take a risk-based approach and be done
carefully. Remember that its individuals that will be analyzing the
results and possible distractions are likely to make you miss
something. A brief questionnaire aimed at comprehending how the vendor
will be using the data will be more likely to highlight possible
security risks.

You can also audit the vendor. In fact, vendor audits are a growing
trend, but they are not as easy as they sound. To make the process
easier for you, determine whether the vendor has SOC-2 or other
similar documentation. If so, then you can rest assured you are on the
right track and can concentrate on what matters to your enterprise.

Situations that will prompt an audit include cases, where data shared,
is highly sensitive, or you come across red flags during the survey
process. As mentioned, keep the questions concise and focused. As
opposed to a list-based approach, opt for the risk-based one,
considering threats and concerns to your business. Determine the
vendor’s commitment to protecting your business.

It is now increasingly critical to focus the security assessment and
monitoring on third-parties. Yes, we cannot do without these
third-parties, but that does not mean you throw all caution out of the
window. Cybercriminals are likely to target these third-party firms
hoping that their systems are not as robust as yours. Don’t be lax,
instead, verify before you can trust.

Data is now the most important currency. A simple breach can be the
end for your business as it would cost phenomenal reputational damage,
as well as, fines and penalties. Mostly, the buck stops with you, not
your vendors when it comes to protecting your information.