Trusting third parties: Securing your enterprise ecosystem

Trusting third parties: Securing your enterprise ecosystem. However, having an interwoven ecosystem -- of service providers, contact centers, distributors, licensees, joint ventures and other third parties -- has created a much larger flank allowing attackers to skirt around security measures by targeting less secure connections among third parties. Security risks can come from vendors that use poorly conceived, insecure business processes to manage systems. Vendors could also be using administrative passwords in systems installed at all their customers’ sites. Some agreements do not even clearly identify who is responsible for safeguarding the organization’s information or notifying the organization in case of a data breach. Using the gathered information, the organization should then take steps to determine the risk profile for each third party in its ecosystem. By creating a risk profile for the third party, the organization can determine the level of security controls and activities that the third party should have in place. These security requirements should also become mandatory terms during agreement negotiations. Should the agreement involve the sharing or outsourced processing of personal data, the organization must include the required data sharing or outsourcing stipulations of the Data Privacy Act of 2012 to ensure that proper safeguards are in place to ensure the confidentiality, integrity and availability of personal data processed; and prevent its use for unauthorized purposes. Third parties, as well as the security and data privacy provisions in their contracts, should be reviewed on an ongoing basis throughout the relationship with the organization.

The level of interconnection in today’s digital ecosystem has created tremendous opportunities for organizations to work together by extending capabilities and sharing data. However, having an interwoven ecosystem — of service providers, contact centers, distributors, licensees, joint ventures and other third parties — has created a much larger flank allowing attackers to skirt around security measures by targeting less secure connections among third parties. For example, recent security breaches that affected Target and Yahoo prove how dangerous unsecured third parties can be and that an organization can be blamed for security vulnerabilities it had little to do with.

Suits The C-Suite — By Conrad Allan M. Alviz: “The Green Path: the road to sustainable development” Suits The C-Suite — By J. Carlitos G. Cruz: “Sharing is thriving” Six ways to wear suits with sneakers Suits The C-Suite — By Cirilo P. Noel: “Thoughts on being a steward” Suits The C-Suite — By Vicky Lee-Salas: “Overcoming uncertainty in the banking industry”

In the Philippines, the third-party problem is real. Security risks can come from vendors that use poorly conceived, insecure business processes to manage systems. For example, service providers may connect through remote backdoor access for maintaining and supporting their clients’ internal systems. In some cases, service providers would use software that is no longer supported, full of vulnerabilities and impractical to patch. Vendors could also be using administrative passwords in systems installed at all their customers’ sites. And there could be instances when contact center agents put sticky notes around their cubicles with passwords to the organization’s systems or customers’ credit card information and personal information.

These situations may sound dismal but third-party service providers are not entirely to be blamed for this mess. Due to dynamic business requirements, speed-to-market pressures and a highly competitive environment, organizations simply purchase third-party services and software with operational benefits in mind while neglecting security and data privacy. We have seen organizations that do not pay close attention during contract negotiations. Some agreements do not even clearly identify who is responsible for safeguarding the organization’s information or notifying the organization in case of a data breach.

Organizations only realize the broken trust after a vendor’s fraudulent or unsecured activities are uncovered, like when a customer informs the organization that his or her personal information has been used for some dubious activity, or when management salaries are suddenly shared inappropriately.

The EY Global Information Security Survey 2016-17 confirms that third-party risk management is a major area of risk which is often overlooked, as evidenced by the following findings:

• 68% of respondents disclosed that they would not increase their information security spending even if a supplier was attacked — even though a supplier may provide attackers with a direct route into the organization.

•…

Written By
More from Industry News

Azure Information Protection Versus Windows Information Protection Overview — Part 1

One time-tested way to reduce the risk that someone will accidentally or...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *