United Kingdom
Third party data security – are you outsourcing your reputation? - George Quigley
The security breach at email marketing provider Epsilon last month resulted in the theft of millions of names and email addresses. Those affected include customers of Barclaycard US, Capital One and Citigroup. In the UK, Marks and Spencer and Mothercare have issued advisories to their customers, although security experts believe that more UK firms may have been affected.
Individuals whose details have been compromised can now likely expect “phishing” emails that are crafted to fraudulently solicit sensitive information such as internet banking or credit card details. The threat may be exacerbated by the fact that hackers may be able link customers’ details with specific retailers, helping them to create more convincing targeted phishing emails (also known as “spear-phishing”).
The Epsilon breach comes as a timely reminder of the dangers of failing to understand and address security risks arising from third party relationships. It starkly illustrates how a security breach at a third party supplier can directly damage your reputation and lead to loss of business. Other effects can include regulatory fines, legal claims and even harm to your share price.
It is a widely-understood business principle that while operations may be outsourced, your business risks cannot be. However, many organisations still fail to assess their third party supplier IT security risks and to put appropriate controls in place. There is often a level of implicit trust that applies to personnel, procedures and access to systems and data. Criminals know this and specifically seek to exploit these weaknesses.
For business advisers and others that hold highly sensitive client data, the shoe is on the other foot. They are an attractive alternative target for hackers frustrated by the security measures employed by their clients. If you work for one of these firms, have you considered your IT security risks, including the impact on your reputation and client relationships following a security breach? Are you confident that you are protecting your clients’ data to an appropriate level?
A consideration of third party security risks should touch on key issues such as:
- Have you conducted due diligence of your third party supplier’s data security controls?
- Have you formally documented security requirements for third parties in contracts and service level agreements?
- Do you know who is accessing your data at the third party and are staff vetting procedures adequate?
- Have you considered the level of access that third parties are granted to your data and systems – can it be reduced and can monitoring be put in place?
- Have you agreed and documented formal requirements for reporting of security breaches?
A final thought - to quote an old security axiom: “defenders have to be right all the time, attackers have to be right only once.” Don’t let all your hard work go to waste by allowing third parties, or yourself as a business adviser, to become that fatal flaw.
FOLLOW US ONLINE
Follow us on Twitter. Click on the links below for the latest BDO updates: