High-profile data breaches at Target and at three commercial banks in South Korea were attributed to poor security at third-parties, highlighting the risk from outsiders within the company network.
Contractors often help organisations to drive cost and productivity gains, but their security – in light of recent data breaches – is a concern.
Third-party security was a hot topic of conversation at a recent conference in London, where a group of experts admitted that responsibility on data breaches is a grey area, especially as many of these control large quantities of data without actually being the data controller.
Thom Langford, director of global security office at Sapient, said that this is particularly problematic in the cloud: “You don't even know where the data is half the time, it could be replicated somewhere else.”
Langford, and Vicki Gavin – compliance director and head of business continuity and information security at The Economist Group, urged companies to manage contractors and check their security, embed security as part of the service-level agreements (SLA) and continually assess security credibility by doing on-site visits and even doing questionnaires. Checking their incident response plans should also be mandatory, said Gavin at the time.
The Economist carries out similar assessments with third-party partners. Gavin said that the publisher often does ‘joint exercising' on IT security risks to help them understand what's required and “where the gaps are”.Speaking to SC Magazine UK, Langford urged companies to mitigate against these risks with ‘good housekeeping', such as knowing where data lives and ensuring third-parties are contractually obliged to safeguard data.
“I am not sure anyone could name the company that lost Target's data,” he said.
Langford believes that there is a shared responsibility on data breaches. “Third parties need to demand as little data as possible to get the job done.”
Dr Guy Bunker, SVP of products at Clearswift, believes that third-parties should be made to adopt two-factor authentication when holding sensitive data.
“2FA should be for all people who have access to large quantities of PII (Personally identifiable information) – it can be applied to the apps to increase audit ability. There is a need to have better log tracking / analytics as well - watch for reports with 1000+ names in.”
Thom Langford is the director of global security office at Sapient