Breaches at third parties can be mitigated with due diligence and preparation, but often that is not a consideration at the first point.
In a debate on 'The killer next door – the devastating impact of third party breaches' at the RSA Conference in San Francisco, Michael Bruemmer, vice president of Experian, said that while you can plan up front and train employees, the threat grows dependant on how many people are involved with the chain of command and the number of outsourcers.
David Chavez, partner-in-charge of the San Francisco office at AlvaradoSmith, said that if it was just one company involved, then that can be easy, but with a third party it requires preparation and involves regulators, and as soon as that begins, clients and consumers need to know in the event of a breach, "regardless of which side you are on you have to prepare for that".
David Sochol, financial services analyst at Baron Capita, said: “Understand the amount of effort you need to put into preparation so if you have an issue, you know how quick you can be there and what kind of preparation you have put into the account. There is a desire to stop a hacker or try to capture or prosecute, and the big thing to stress is to be prepared and ask questions in advance and spend time evaluating before an instance takes place.
“There are conversations about everything moving offsite, what is scary is the trend of companies moving in that direction. Look at the statistics, 52 per cent are trying to outsource, the issues move out of their control and the third party treat data like any data, as they don't 'treat like it is my own'. So we are seeing a trend of outsourced assets being compromised, and we ask are you doing anything to protect those assets, and 28 per cent are making improvements on third party vendors.
“They are not doing that much and not validating information. Start looking at moving out there and applying good security foundations and outsourcing is not as scary as it seems.”
Christine Arevalo, strategic director of healthcare fraud solutions at ID Experts, said that there is a rise in the healthcare sector, and this is an area where privacy and security are converging and risk has to be realised. “Healthcare is an area where there is a lot of exposure and I've seen it dozens of times and its puts the employee and employer in jeopardy. You really need to prepare for the worst.”
Asked by moderator James Christiansen, chief information risk officer at Evantix, what to do differently to prepare and deal with a third party breach, Chavez said that the most important factor was to understand where the data is and where it is being outsourced to, and where someone has access, and draft the contract appropriately.
“The primary part will deal with data indemnification and if anything happens to me, you pay the costs,” he said.
“Indemnification is always an issue as you want have best processes available, as the companies taking the data know all they have to do is take the data, and the best way to negotiate it is to address it in the contract, and add it to the contract. You can add assurances regarding security and possibly pre-approve vendors, and you to be given notice if they suffer a breach.”
Sochol said that in one instance, a company he worked with ran a penetration test and fixed the flaws, yet a few months later other data was breached, as it only applied the fixes to his data.
In conclusion, Christiansen recommended three key areas: understand risk, identify who the vendor is and what they are involved with, and ask if they are implementing the right security practises.