Third party data breach: control your data wherever it resides
Make sure your contractor was “brought up” in the same security conscious environment your company was.
A company may have the most intelligent approach enveloping each and every facet of your business structure, but as soon as your data is transmitted to a third party you lose control over it. Even if a company is reputable and you’ve signed all the papers, you’re not protected from employee negligence or fraudulent attempt which could take place within the other company’s perimeter.
You can’t control a third party organisation as if it was your own, but you can demand clarity and transparency concerning those areas of activities which involve and might affect your corporate data:
· Your contractor may have a subcontractor. When preparing an agreement make sure you point out the requirement in accordance with which third parties are obliged to inform a company about any external collaborations and sharing confidential data with out-of-contract businesses.
· Be aware of security solutions and privacy policies a contractor introduces and deploys by conducting audit and evaluation.
· Keep track of what agreements you have with third party organisations, which of them access your data and what data they process.
· Keep up-to-date with local and international normative acts and demand that all the contractors do the same. There are different requirements for protection, storage and transfer for various groups of data, and requirements may also vary among data subjects based on their locations as citizenship determines which regulator is to be complied with. All these conditions should be abided by.
Ponemon Institute has conducted a research on a third party data breach issue. In 2016 49% of companies were affected by a breach due to a contractor, whereas in 2018 there were already 59% of businesses affected indicating the same reason.
The Privileged Access Threat Report 2019, prepared by BeyondTrust, demonstrates that access rights management program and data audit requires enhanced measures. According to the report, 58% of respondents are sure that they were breached due to third party vendors’ access. A year ago the number of third party vendors which could access organisations’ IT systems reached 75%. 1 in 8 businesses with more than 5,000 staffers employed aren’t even aware of how many vendors access the network remotely in a specific period of time.
As PwC reports, an impressive number of companies have no preventive measures from third party breaches. Taking into consideration the abovementioned we see that the situation is nearly critical.
Make sure that third parties can’t connect to the assets within your company’s network. Combative network security is crucial as it alleviates the risk of unauthorised access. If a company’s threat mitigation program lacks network segmentation, an organisation is exposed to incidents in case a contractor is breached.
It is important that only the data which is required for work performed by third parties is available to them and nothing which is beyond their responsibilities is exposed. Even if the information isn’t related to the tasks third parties implement but is available in front of them, it becomes automatically obtainable.
Internal audit should be conducted as an ongoing process in order to monitor deviations from the agreed terms of working, including the amount of data allocated for the third party’s use. It is a company’s job to take care of corporate information allotted to a contractor, as they are responsible for task completion, not for information safety, thus, their security measures aren’t part of your agreement and might differ considerably from those introduced in your company.
You have the right to evaluate a third party’s controls and policies relevance which are within the scope of your agreement, and conform to the controls and regulations introduced in your company.
The surveillance is obligatory, continuous monitoring procedures of the number of vendors accessing particular systems should be established. Since the access is controlled, the accounts created for the third parties are visible and can be managed.
It is also important to protect both internal and external perimeters — audit of database queries (any databases storing confidential data) is a must, especially considering access from outside, for example, in a corporate CRM.
Healthcare industry can serve an illustration of the consequences of a third party breach. The largest clients refused to continue working with AMCA (American Medical Collection Agency) due to the breach of personal data which compromised details, including names, dates of birth, provider and balance information, of 20 million U.S. citizens. AMCA, third-party provider of billing services, didn’t manage to safeguard the data of major healthcare organisations’ clients. The information was exposed from August, 2018, till March, 2019. The company went bankrupt and announced about it shortly after the incident was discovered.
