While the lessons from the Equifax hack continue to be revealed, one important takeaway that is commonly overlooked is the challenge in securing data or intellectual property when organizations are working with third parties.
Some potential victims of the hack have expressed concern that they never gave consent for Equifax to collect and store their information. While that may be true, they likely did give consent to lenders who collaborate with credit reporting agencies like Equifax.
As soon as that sensitive data travels outside a company’s security infrastructure, however, it enters a frontier of threats and risks, because the cybersecurity and data protections of a third party are often a big uncertainty. Especially with regard to Equifax, lenders’ trust in that organization proved to be wholly misguided.
How can organizations hold third parties to the same security levels as their own? That’s a complicated and challenging question, but one we should explore as information continues to flow through various channels, organizations, and points that make it vulnerable to attacks.
The Three Facets of Third-Party Security
Beyond Equifax, past cyberattack victims that likewise illuminate the third-party vulnerability include organizations like The Home Depot and Advocate Health. Without vetting the security protocols of third parties, all of these enterprises reveal a significant blind spot in a cybersecurity strategy.
But taking responsibility for third-party governance is a significant undertaking. With so many threats to consider and so many competing security solutions, it’s difficult for companies to know how to compare and confirm protection levels.
The key is to focus on what we consider the three buckets of organizational cooperation that require comprehensive oversight:
- Third Party accessing Your Company’s sensitive information.
- Third Party storing Your Company’s sensitive information.
- Third Party and Your Company sharing sensitive information where both companies exhibit similar workflows and security protocols but the travel is insecure.
Good governance, which is the only way to address all of these vectors simultaneously, begins during the third-party selection process. The security resources of each candidate should be carefully considered and factored into an organization’s final decision. At the very least, anyone storing your sensitive data should adhere to industry standards like System and Organization Controls (SOC).
Even after a solid relationship has been established, the third party should be regularly audited for security. With the threat landscape constantly evolving, existing solutions can become obsolete or inadequate. So while this auditing process can be labor-intensive, it is necessary, and there are independent auditors who are available to conduct more thorough audits in less time.
Finally, all parties should search for information-sharing solutions that standardize security controls. For instance, Zix offers a secure repository for parties to exchange information through our ZixEncrypt solution. Access is strictly controlled, information is carefully and automatically encrypted, and data is deleted after an assigned period. Any questions about security capabilities (or lack thereof) become irrelevant within a shared platform.
As much as we’ve focused in previous posts on intraorganizational cybersecurity solutions and strategies, Equifax has made it abundantly clear that a security strategy that doesn’t factor in third parties is incomplete and inadequate. Your job is to protect the sensitive information you’ve been entrusted with, even if that information isn’t — at this moment — in your organization’s systems.