Perhaps no single reported breach in recent memory better highlighted the risk that vulnerable third-parties present than when hackers last year raided the systems of marketing services firm Epsilon.
The intruders plundered a massive amount of data – tens of millions of email addresses – belonging to customers of big-name clients served by Epsilon. The incident underscored the sheer amount of trust that businesses place in companies that maintain their data, not to mention those vendors that provide system and application development, support and maintenance.
“To a customer, whether it was you who lost the data or a third-party who you contracted with, it's you who lost the data,” said Daniel Kennedy, a former CISO who now is research director of information security and networking at The 451 Group.
Considering the widening attack surface and the increasing number of partner relationships, guidance and laws are beginning to emerge. As of March 1, the Massachusetts data security law's grandfather provision expires, which means that any contract – regardless of when it was signed – must include language binding third-party service providers to protect personal information.Meanwhile, under the HITECH Act, business associates, which are the outside entities that perform a service on behalf of a health care provider, must implement security measures as specified by HIPAA. And within financial services, the FDIC just released security best practices for banks dealing with third-party payment processors.
Of course, one cannot rely on a law or contract alone to ensure that sensitive data shared with a partner will be protected. Many organizations opt to conduct annual risk audits, but often they merely present a snapshot-in-time overview of a third-party's security stance. When deciding on whom to do business with, businesses traditionally roll the dice. “The third party is only going to agree to certain things in the contract negotiations,” Kennedy said.But a company called Saperix, which was acquired last year by FireMon, wants to apply a metric to the decision-making process. In January, Saperix received a $500,000 grant from the National Science Foundation to develop a service that rates the information security risk of businesses, much like currently exists with credit scores.