What would you do if you learned that the plans for your new prototype were leaked to your main competitor? And what would you do if you learned that the leak came from one of your business partners or a supplier who failed to adequately protect your confidential documents?
In today’s fast-paced world, it is impossible not to exchange important data with our suppliers and business partners. Whether it’s strategic corporate information, business secrets, intellectual property or personal data about your employees or customers, the modern enterprise must ensure that it minimizes its informational risks in its partnerships with third parties.
Even if your organization has exemplary information security in place, a supplier or business partner can become an attack vector in your supply chain. The old cliché.
The risks related to information can be found in three main groups whose borders are often permeable.
- Reputation risk: your organization’s reputation is damaged because confidential information is exposed. Consequence: your employees, your customers or your business partners think about leaving you or ask you to considerably increase your security measures.
- Financial risk: your organization is subject to lawsuits or class action suits because of the leakage of confidential data. Consequences: you must allocate additional budgets to pay for damages and fines.
- Compliance risk: a data leak or loss means that you can no longer demonstrate compliance with a law or regulation. Consequence: you are fined and/or lose permits or certifications required to operate.
There is no such thing as a risk-free situation. The goal is to reduce the risks to an acceptable level. An organization’s overall risk management strategy goes well beyond the scope of this capsule. We will only discuss third-party management.
Reducing information risk with third parties
Long before you hold a future vendor accountable, you need to understand and control the basics within your organization.
- Are you aware of all the sensitive data and information that could impact your organisation in the event of theft, leakage, unauthorized modification or unavailability?
- Do you know the level of security required to adequately protect this sensitive data?
- Are you aware of all the laws and regulations you are required to follow?
- Have you formally appointed a person responsible for ensuring information security management with third parties?
- Are your lawyers/buyers comfortable with the contractual clauses related to information security?
What to do before signing a third-party agreement
First, these questions must be answered:
- Does the data exchanged with the vendor put you at risk? What is the extent of this risk and what are the consequences for my organization?
- Does the third party fully understand their responsibilities to protect your data? Does the third party accept them on a contractual basis? How will he demonstrate compliance with the contractual terms?
- What recourse do you have if the contractual terms are not met?
Already, the answers to these simple questions should give you a fairly accurate indicator of the risk you face.
In the event you decide to move forward, the next step is to conduct an information security maturity assessment of the third party. In other words, you want to know if your potential vendor will be able to adequately protect your data.
There are two avenues to help you make an informed decision.
- The questionnaire, in an interview or while performing a self-assessment exercise
This approach consists of asking the candidate supplier a series of questions and evaluating the answers.
The exercise can be done in the form of meetings and workshops with the supplier’s key personnel. This type of meeting allows for open-ended questions and an understanding of the company’s culture. However, this approach is costly because it requires a lot of time, coordination and experience on the part of the interviewer.
The other common practice is to send a questionnaire (usually multiple choice) to the supplier and ask him to complete it. It is important to ensure that the provider is able to understand the questions and offer him support if needed. This form of self-assessment may be less accurate and may not always provide context for the answers. Follow-up calls are sometimes necessary. However, the effort and time required is less than in-person meetings.
The number of questions and the nature of the questions should reflect the type of service you plan to purchase or outsource (software development, web hosting, cloud solution purchase, payroll outsourcing, etc.). There are many specialized questionnaires that can be downloaded from the Internet.
Either way, proceeding by questionnaire requires a minimum of expertise to interpret the answers.
- Certification and/or audit report
It is common for a supplier to decide to obtain a certification in order to demonstrate its seriousness in matters of information security. There are several certifications on the market, each with its own advantages and disadvantages. Among the most common are the ISO 27001 certification and the filing of a SOC II Type 2 audit report.
It is important to note that a certification cannot be considered as the only indicator of an organization’s seriousness. There are several factors that come into play, including the scope of the certification.
Beware of organizations that self-declare themselves “compliant” with security standards. Compliance must be confirmed by an accredited auditor.
Regardless of the method you use, the result must answer this question: can the third party adequately protect your sensitive data throughout your business relationship? If the answer is no, you should consider looking for another third party.
The alternative is to ask the third-party to increase its information security maturity. But this option is usually costly, time consuming and does not guarantee results.
Any business partnership is concluded with a formal contract. And it is in this contract that the security clauses must be written, clearly and precisely. The requirement details must be mentioned, as well as the verification mechanisms and the recourse in case of non-compliance. Without these specific clauses, you will have no leverage to ensure that the supplier adequately fulfills its obligations.
Negotiating security clauses can be difficult. Stay firm. Make sure you have a firm grasp of your security requirements. And most importantly, ask for proof of what your suppliers are saying.
Just because a supplier has never been attacked in the past does not mean they will not be in the future.
A supplier or partner with whom you share sensitive information can become an attack vector or a vulnerability in your security chain. In order to minimize your risk, it is important to assess the security maturity of the potential third party. Assessment methods include self-assessment questionnaires completed by the third party, in-person meetings and workshops facilitated by an expert, and the presentation of certifications. Each method has advantages and disadvantages. Security requirements must be written into the contract, or you may not be confident that you are adequately protected. Expert security coaching is advisable, especially when you deem that the risks are high at the outset. Contact us!