RSA 2013: Know thy third-party vendor to avoid the surprise of a breachThere is a lot of risk involved in entrusting an organization's sensitive data to a third party, but proper planning and preparation reduces it, according to a panel discussion Tuesday at the RSA Conference in San Francisco.
Colossal third-party breaches have made headlines around the world, the most recent involving Global Payments, a payment processor whose clients included Visa and MasterCard, whose incident cost the company close to $100 million. However, cyber criminals don't focus their attention on one particular industry.
"It doesn't matter what industry or sector you're in, it's going to hit you," James Christiansen, chief information risk officer at Evantix, a risk management software company, said during Tuesday's discussion. "It's really about being prepared."
Organizations not only have to deal with the theft sensitive data, but also the repercussions of an incident that could yield a tarnished a reputation and a hefty price tag, said David Chavez, partner-in-charge at San Francisco-based law firm AlvaradoSmith.
"The best contract in the world is not going to prepare you for the cost," Chavez said. "You need to make that internal assessment and know what kind of vendors you're bringing in."
Ensuring that providers are credit worthy and have the appropriate capabilities to secure data is essential, Chavez said.
According to Verizon's 2012 "Data Breach Investigations Report," 46 percent of the incidents studied were due to third-party provider breaches. David Sockol, CEO at consulting firm Emagined Security, said many of those breaches are due to organizations not putting enough time into the due diligence to ensure that a provider is qualified to safeguard data.
In addition to using the proper legal jargon in contractual agreements, Sockol added that asking the right questions in advance and performing penetration testing are other ways to properly assess third-parties.
"Try not to trust everyone out there," he said. "At the end of the day, we can't avoid using third parties, so we need to understand what we're walking into."