Protecting Your Company From Breaches At Your Third-Party Vendor

Nearly every day now, there’s news of the latest data breach: If it’s not Anonymous or Lulzsec, it’s some faceless attacker who has compromised yet another company database or network full of customers’ personal information. But what if it’s your third-party provider, like email marketing service Epsilon, whose breach earlier this year exposed e-mail addresses, including some first and last names of its largest customers, leading to concerns of extensive spear-phishing attacks on the horizon.

Major firms, such as American Express, JPMorgan, BestBuy, and Verizon, that relied on Epsilon to keep their data safe were now faced with telling their customers that the information entrusted to them had been lost — and by someone else. It’s a tough situation for both groups, but for any organization that relies on a third party to protect sensitive customer data, it’s likely you will face this problem one day. But there are some steps you can take to ensure your organization’s and your customers’ personal information is protected.

Before taking the plunge and trusting your data to a third party, it’s important to establish some of the expectations that must be met to make sure both sides are protected and have reasonable expectations of one another. The first is a thorough risk assessment with annual reviews. Depending on the third party and the industry, annual risk assessment and penetration testing might be a regulatory requirement or something the vendor has chosen to perform as a competitive advantage.

If the vendor is doing it simply because of regulatory compliance, it’s important to take the time and review the latest assessment reports and documentation for its security program. Look beyond the "we’re compliant, here’s our seal of approval" statements, and get down to the technical details.

Even companies meeting their annual compliance requirements and following security standards like ISO 27001 have been compromised — think Heartland and Epsilon. Instead of relying on an auditor having checked the appropriate boxes, make sure the yearly reviews are validating the security controls in place based on actual testing and not interviews with employees.

In addition to ensuring comprehensive technical audits are being performed, a regular audit of the data being sent to the vendor can uncover misconfigurations that could lead to data exposure. Whether you’re already working with a third party or looking to establish a relationship, be sure that what’s set forth in contract and implemented is the same thing. Auditing the implementations will ensure exactly what is expected to be transmitted to the third party is being done — no more, no less.

In addition to auditing the data being sent, the transport and storage mechanisms need to be assessed to make sure any sensitive data is being properly encrypted and meets any applicable regulatory controls or company policies. Periodically auditing the transmission and storage of the data as it passes to and is stored by the third party will alleviate concerns that either side could have in the validity of current transport and storage systems.

One area that absolutely cannot be overlooked is incident response. What will the vendor do if it realizes a security incident has occurred that could impact the confidentiality of the information you entrusted with it to keep safe? The first step is to have a plan and the second is to be sure that plan works. In the event that an incident is detected, initial triage to stop the bleed of information out of the organization is critical and must be followed up by an immediate investigation to determine what information has been exposed.

Of particular importance during the incident response process is communication. Open lines of communication should be established early on, and it helps to have relationships between technical staff that will be dealing with the incident firsthand. A good example of how one vendor handled the incident response process when customer data was threatened can be seen in the testimony by Epsilon’s legal counsel in the story "Sony and Epsilon: Lessons for Data Security Legislation".

As more services migrate to the cloud, companies trust third parties with the protection of sensitive information, and data breaches hit the headlines, it is important to protect your customer data even when it isn’t under your direct care at all times. Making sure the proper security controls are in place and tested regularly is critical.

Regular audits to make sure the right data is being sent and protected during transport can help prevent embarrassing mistakes. And don’t overlook the need to have a solid, tested incident response plan in place should an incident occur.