Data breaches from third party vendors can cause severe damage to an organization’s reputation and bottom line. As a business leader, it is critical to take steps to prevent these types of breaches. Here are some best practices I recommend:
Conduct Thorough Due Diligence on Vendors
Before partnering with a vendor, I conduct in-depth due diligence. This includes:
-
Reviewing their data security policies and procedures. I want to ensure they have adequate measures in place to protect sensitive data. I ask for specifics on encryption, access controls, employee training, etc.
-
Requiring compliance with regulations. Any vendors that handle sensitive data must comply with regulations like HIPAA, PCI DSS, etc. I confirm they have the appropriate certifications.
-
Assessing their technology. I have conversations with their IT team about the security technologies they use, such as firewalls, intrusion detection/prevention systems, endpoint security, etc.
-
Requesting third-party audits and penetration testing reports. This provides independent validation of their security controls. If they do not have these available, it’s a red flag.
-
Checking references. Speaking with their current customers can provide insights into their data securitytrack record.
Limit Vendor Access to Sensitive Data
I avoid providing third party vendors access to all data indiscriminately. Instead, I carefully evaluate what data they need and limit their access only to that. For example, a vendor may only need access to customer names and addresses, not full credit card numbers. Limiting access reduces the impact if a breach does occur.
Use Contracts to Define Security Expectations
My contracts with vendors always contain specific data security provisions, including:
- Right to audit their security measures
- Responsibility to encrypt data in transit and at rest
- Obligation to report any breaches in a timely manner
- Indemnification for failure to meet security requirements
Well-defined contracts set clear expectations and provide recourse if the vendor’s security is substandard. I work closely with my legal team to ensure appropriate provisions are included.
Require Security Incident Response Plans
I require all vendors to have formal incident response plans in the event of a breach. These plans outline their containment, eradication and recovery processes. Prior to an incident, I confirm our team understands their response plan and that it meets my expectations. Clear incident response plans ensure my data is properly handled in a crisis.
Implement Access Monitoring
Once a vendor is granted access to my systems or data, I implement robust access monitoring to detect misuse or unauthorized changes. Options include:
- Reviewing user activity logs
- Monitoring for suspicious credential use
- Tracking permission change requests
- Auditing user access
By proactively monitoring their access, I can identify and address any suspicious activity that may precede a breach.
## Maintain Encryption for Data in Transit and At Rest
For any sensitive data that must be shared externally, I mandate the use of encryption technologies for data both in transit and at rest. Encryption prevents external parties from deciphering the data if they do gain access. I require vendors use secure protocols like SFTP and enable the highest level of encryption available.
By taking a proactive approach and using these strategies, I aim to substantially lower the risk of suffering a damaging third party vendor data breach. Protecting sensitive data must be a joint effort between my company and my vendors.
