In January 2019, Spiceworks surveyed 600 IT and security decision makers over a wide variety of companies, all with one thing in common: their use of third-party vendors or Business Associates (BAs). Their findings should have everyone looking more closely at their BAs. Some of the key findings were:
- 90% of companies with third-party policies review them annually
- 81% consider their policies effective
- 44% of the companies experienced “a significant, business altering data breach caused by a vendor”
- 15% of breached companies were notified by the vendor of the breach
These statistics are startling, highlighting the chasm between the BA risk management process and the reality of vendor incident response. The most disturbing findings came after the breach. Almost 70% of the breached companies made no change to their obviously faulty risk policies and procedures, with only half of them discontinuing the vendor relationship! The negative, business altering consequences include a combination of increased operational cost and complexity, disrupted operations, financial loss and reputational damage. Reason would move to making changes, but many don’t know where to start.
Evaluate Your Vendors
Companies need to take decisive steps with their business associates to protect their customers’ data. At a minimum, a “trust by verify” approach is required, while many companies are moving to a “zero trust” model. Some options include:
- Contractually obligate vendors to security and privacy practices
- Review your vendors’ security and privacy policies and procedures including their risk management plan
- Require security risk assessments be performed annually
- Conduct a joint risk management review focusing on data exchange and management, prior to enabling the BA access to your data
- Request historical review and references
Security should be a joint effort
It is essential to keep an inventory of all third-parties who can access and share your data, but that is not enough. This study found over two thirds of the companies were not confident that their vendors notify them when sharing data with other subcontractors. Properly vetting your BAs may increase the trust relationship, but additional steps should be taken.
- Coordinate responsibilities between both parties
- Require and review breach notification protocol
- Require insurance and other forms of indemnification
- Maintain regular communication of security expectations and execution
The need for vendors and BAs will always be present in our ever changing, collaborative world. Take the steps necessary to protect your company, your clients and your vendors.
Reference
Nearly half of firms suffer data breach at hands of vendors. Mark Sangster. 6 March 2019. https://www.esentire.com/blog/nearly-half-of-firms-suffer-data-breach-at-hands-of-vendors/