Editorial Note: We earn a commission from partner links on Forbes Advisor. Commissions do not affect the opinions or evaluations of our editors.
Jim Chilton, CIO of Cengage Group and General Manager of the Infosec Institute, a cybersecurity education and training provider that is part of the Cengage Group.
Find legal answers for your small business
Nolo offers hundreds of easy-to-use legal products written in plain language.
When you’re in the business of collecting and aggregating customer data, protecting that information is paramount. Put yourself in the customer’s shoes and understand the privacy of the moment: if you were providing the most private information about yourself, you wouldn’t want to leave no stone unturned to keep it completely secure.
Today, most of our interactions are digital as we have embraced technology in almost every facet of life and business. Data is at the heart of every organization today, providing insight into business performance and consumer habits, and empowering the kind of flexibility needed to be successful today.
But an always-online world carries inherent risks: A recent surge in data breach attacks has left some of the world’s largest and most impactful organizations crippled, and millions of pieces of private information in the hands of bad actors. In fact, the average cost of a data breach is $4.35 million, a figure that has increased by almost 13% since 2020.
And that’s why relationships with third-party providers, who have a responsibility to store and therefore protect sensitive data, are extremely important. Whether you’re working with a contractor on a short-term project or a more complicated engagement with a software vendor or data processor, your organization is only as strong as its weakest link, and as such it’s crucial to understand how your partners they plan to handle the data. . This also means taking great care to implement privacy policies, rules, and regulations internally that ensure an airtight process from start to finish. Even activities you might not think of as harmful, like plugging in a printer, can create a pathway for a cyber attack that brings down an entire organization.
So how can you make sure you’ve chosen a third-party partner that will protect your customers’ information? Here are four questions to ask before forming a partnership.
Is the supplier’s industry compliant?
Compliance with industry standards is a basic requirement for any relationship with an external provider. A willingness to recognize and adhere to basic information security standards indicates a commitment to data protection. Without that, the relationship between your company and any third-party service providers cannot continue. With vendor assessments such as SOC 2, PCI DSS, HIPAA, ISO27001, and CSA STAR, as well as local regulations, organizations can make decisions about how to safely outsource critical operations to a third party.
Also, many industries have their own standards; for example, the financial services industry has the Gramm-Leach-Bliley Act (GLBA), recently amended to include more security and privacy concerns. For organizations like Cengage Group operating in the education space, the Higher Education Community Provider Assessment Toolkit (HECVAT) is the standard. Many higher education institutions rely on third-party vendors to provide data storage, hardware and software, and other important services. HECVAT is a series of assessments that ensure third-party providers have the appropriate information security, data privacy, and cybersecurity policies in place to protect a school’s sensitive data. Educational institutions are a target for ransomware attacks, with a plethora of institutional data and personally identifiable information from students, educators, and administrators ready for the take; just look at the recent, high-profile attack on the Los Angeles Unified School District (LAUSD) shutting down email systems and other platforms.
Have you reviewed the provider’s privacy policy?
While compliance with local and industry regulations is critical, it is also at stake. Going above and beyond and showing the utmost respect for customer privacy is what every organization should strive to achieve. Every vendor you work with should have a well-thought-out and well-conceived privacy policy, much as you would describe a mission statement or set of operational capabilities. That statement and point of view are also crucial determinants of whether you are a suitable partner. The company may have suffered adversity in the past, such as a ransomware attack, which led to a reevaluation of its policies and a different approach to cybersecurity. Laws such as the General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA) or the Online Privacy Protection Act (CalOPPA), require obtaining explicit consent before collecting or processing any information . But if the company is not required to do so, should it share its privacy policy? Transparency is an important consideration in evaluating third-party providers. Trusted providers must have a clearly articulated public privacy policy. If they don’t demonstrate that commitment to privacy, do the company’s values really align with those of your organization?
What are your operating standards? How would third-party access affect you?
Good cybersecurity hygiene has both technical and non-technical components, as any good security leader knows. You should expect the same from your providers.
There are several technical controls that provide significant protections and should be standard for all organizations, including their vendor partners. Do they use multi-factor authentication? Do they have an endpoint detection system? Multi-factor authentication protects information by requiring at least two tests to verify the user’s identity before granting access. Endpoint detection tools constantly monitor endpoint devices, such as laptops or mobile devices, for potential threats from bad guys. Your third-party provider must be able to provide multiple levels of protection before they provide access to your data.
But there are also processes and practices that must be in place to protect critical assets and business processes. These include a strong change management program and a strong security awareness program. Change management helps prevent new risks from entering systems. Security awareness takes many forms, including training programs, luncheons, and phishing simulations. Employees of your supplier partners must be diligent and aware of security risks throughout the year.
You should also ask yourself, “How are external or IoT technologies influencing our operating systems?” Look back at the above example of a seemingly harmless printer. There are many devices in the vast Internet of Things (IoT) network in use every day. Many run on outdated software or connect to networks without sufficient threat protection. Someone with malicious intent could hack into your printer, and before you know it, you’re deep in the personal records of thousands of customers because the computers in the back office run on the same network.
Are you ready for the unexpected?
When evaluating the technology and policies that potential third-party vendors have in place, you should also consider events that have not yet happened. Think of the organizations that may have awarded contracts to software vendors in September 2019, not considering that their entire operation would have to go fully remote just six months later when the pandemic hit. Or consider how a natural disaster can suddenly wreak havoc on technology infrastructure, as Hurricane Ida did in Louisiana last year. It is important to plan for the unexpected and understand how a provider is prepared to handle unexpected changes in the operation. This should take the form of a business continuity plan that takes into account everything from minor disruptions to major incidents. Don’t settle for a disaster recovery plan, as it may not be able to cover partial outages or unforeseen events.
Don’t delay, act now
At Cengage Group, we use our own multi-step approach to vendor selection that helps guide important technology partnerships. With our vendor selection rubric, we measure four key determinants: strategic fit, process and capability fit, relationship fit, and technology and architecture fit. The scores for each provide a holistic view of potential vendors that takes into account all factors, both visible and invisible.
While your company may not implement the same rubric, having a process in place now is critical. Tomorrow could be too late.
It has never been more important for your business to fully assess how you are collecting data and who you trust to keep it safe. Ever since the pandemic hit our economy, organizations have been looking for ways to cut costs and become more efficient in order to stay relevant. Much of that cost cutting has occurred through outsourcing. But privacy and data security is not an area where shortcuts can be taken.
Source: news.google.com