Outsourcing is nothing new in business. Many companies still outsource key elements of their processes to third parties. It makes sense: get a specialist to do the technical work and run that system, it frees your teams up to do other work, can provide a better service to your teams and customers and can often be cheaper. It can also sometimes be more secure, in highly-managed environments with better governance, process and technology.
But sometimes not!
We regularly read media coverage of third party and supply chain breaches. What is particularly interesting is the widespread impact of some of these breaches. Whole swathes of industry sectors can be brought to their knees due to a single supplier being breached or ‘going down’. We only tend to hear about the bigger household names suffering, but for every big business experiencing difficulty there are countless small and medium size companies experiencing much the same and often without the resources to recover quickly.
Organisations might outsource the systems and data, but you can’t outsource the impact if something goes wrong. Regardless of liabilities in contracts, you and your customers are the ones who will suffer when it goes wrong both operationally and reputationally. A couple of recent breaches really make this point:
- Blackbaud, which provides software solutions to manage fundraising activities for non-profits, including universities, schools and charities. Over 100 organisations are known to have been impacted, each of these organisations will have large numbers of affected people.
- Prestige Software enables hotels to share availability with online hotel and travel booking sites. An exposed AWS bucket was identified by a third party that contained 10 million logs full of personably identifiable information (PII).
These two breaches were within organisations most people have never heard of, the people impacted probably didn’t know they had your data, but the vendors and the individuals suffer. Organisations need to carefully consider and manage the risk, just as they would for internal systems. The list below isn’t a full vendor management process but are key things to think about:
- Define security – security is a meaningless word, it means different things to different organisations. It’s not uncommon to see contracts that state that systems will be secure – after a breach nobody knows what that means. You need to define what level of security you require, what standards you work to, how often it should be checked, and what level of communication you require. Contracts need to explicitly state what you need and what will happen if they don’t meet this. It should also include your right to verify security and to be informed when things go wrong.
- Monitor security – your vendor will tell you they take security seriously, but you need to know if this is true. The only way to do this is to check. This can be done in a mixture of ways depending on the types of data, access and risk, including basic audits, on-site detailed audits and penetration testing. Don’t just rely on the third party to do a pentest and give you the executive summary. It’s not unreasonable to commission your own tests where you define the scope – if they are worried about the stability of the shared systems from a pentest, that tells you something!
- Continually monitor – use tools to continually monitor the scores of your third parties. Whilst these tools are not entirely accurate they are a useful indicator. If your third party's score suddenly drops you need to get in touch and find out why. Equally, consider using an intelligence company to monitor for your data being exchanged or offered on hacking forums on the dark internet.
- Prepare for a breach – it doesn’t matter if your systems are in-house or outsourced, you need to have the process in place and rehearse them for breaches. How do you respond? How do you contact your customers? What steps do you take? The time to make these decisions is before you outsource the system. If you have to design your response in the maelstrom of an incident, it won’t end well. You have to rehearse the incidents and those rehearsals should involve your third parties. Plans must be up-to-date and include lessons learned from rehearsals, industry events, and breaches if they do occur.
It’s important to note that whilst third parties should have appropriate security, they can still be the victims of crimes. Organisations often make the sensible and justifiable decision to outsource systems to third parties, but they still have a responsibility to ensure security and have plans to manage incidents if they happen. You can’t outsource the impact and, in the eyes of the regulators, you can seldom outsource the responsibility.