Ewen Ferguson, managing director Australia for US-based global consulting firm, Protiviti, warned of the security risk to companies, cautioning that few companies fully appreciate that their service providers can be a weak link in their own data security, “and routinely fail to take adequate steps to prevent their data from being compromised via an attack on their providers”.
“Today, most if not all businesses outsource some of their functions - whether to a cloud technology provider, telemarketer, call centre or payment processor. And doing this involves giving some data or systems access to those third parties.”
Ferguson says that contractors are an obvious vulnerability because they are often smaller firms with weaker security and, he cautions,”even some large service providers have relatively immature information security controls and practices”.
“Yet, despite these risks, companies generally aren’t focussed on managing them effectively. Vendor selection is still overwhelmingly directed at cost, quality and delivery. ‘Risk’ is only a minor after-thought.”
Ferguson notes that the high profile breach of US mega-retailer, Target, which resulted in the theft of personal information including credit card details of 70 million customers and which cost the company upwards of US$200 million - reportedly originated with an email phishing attack on the company’s air conditioning contractor.
According to Ferguson, companies can outsource their business functions but cannot outsource their legal obligations to protect sensitive corporate and customer data. “The only way to manage this is by exercising better control over your service provider relationships”.
Ferguson recommends that companies should start by developing a plan to manage their third party relationship risks.
“It’s best practice to establish a centralised function to manage third party relationship risks. This is generally the best way to get complete visibility of everyone the company deals with and to prevent individual teams from establishing relationships that fall under the radar.
“The office should take stock of all existing partners, associates and suppliers and gain an understanding of who has access to what data. There should also be a process to ‘red flag’ and manage parties requiring closer oversight based on criteria such as the sensitivity of the data they hold and the strength of their IT security and controls.”