Data Security Best Practices For Using Third-Party Vendors
By Geoff Grow, Service Objects
Increasingly, it is in the hands of third-party vendors. Few firms can afford to reinvent the wheel nowadays in areas such as cloud hosting to contact data validation, and this trend has accelerated in a growing world of inexpensive SaaS software capabilities and APIs. But this trend also has led to some well-publicized data breaches. Here are just a few from the last year alone:
- In a recent story in Wired Magazine, two security researchers discovered email validation firm Verifications.io had exposed an unprotected, publicly accessible database containing over 800 million email addresses, together with personal and business information for some of them. The firm has since gone dark.
- Cybercriminals obtained over five million credit and debit card numbers from customers of retailers Saks Fifth Avenue and Lord & Taylor in 2018, accessing them through an unsecure third-party point of sale system, as detailed in this article.
- The same article notes the entire cloud storage of Universal Music Group, including passwords and login credentials, was exposed as a result of a contractor failing to protect one of its servers.
Stories like these are why one law firm describes third-party data breaches as “the weakest link in cybersecurity,” noting that nearly two-thirds of data breaches are connected at some level to third parties. But it is still your business name and reputation that is at risk when your data is breached, whether by accident or intentional crime.
4 Steps To Ensuring Data Security
Data security is an important shared issue for both companies and legitimate third-party data services. As a third-party vendor ourselves, whose business revolves around handling customer and prospect records for our clients, our entire business lives and dies around having airtight, bank grade security. Here, we would like to share four best practices that can help you be confident in working with your data partners.
- Start with reputation. A vendor’s track record is perhaps the most important factor, on two fronts. First, it serves as a sign that other customers have already placed trust in this vendor’s security processes, versus relying solely on the vendor’s own word. Second, it can often serve as a good indicator about whether they can afford to invest in the staffing and business practices needed to execute an adequate security plan. Look for things like industry reviews, size and tenure in the marketplace, and the endorsement of major accounts.
- Assess your vendor’s security procedures. Here, you want to do a deep dive into specific processes and procedures – because if you ask any vendor about their data security, they will of course tell you it is fantastic. Do they use secured data centers? Hardened servers? What kind of penetration testing or encryption do they use? Do they store your private data any longer than necessary, or purge it after processing it? Depending on how critical your data is, it makes sense to have your own data security experts – inside or outside the company – guide what to ask.
- Trust, but verify. Is your vendor willing to document their security procedures in writing? Reputable vendors should have no problem warranting that they do what they say they do, and provide appropriate documentation to support this.
- Check out their infrastructure. How extensive are the vendor’s development and technical support capabilities? This is not only an important gauge of their ability to implement effective security procedures, but also a measure of their ability to respond in the event of a problem. (For example, since we work with client’s contact data in mission-critical applications, our support team is available 24/7.)
In Summary: A Balanced View Of Security
Done well, the right third-party service partnerships can in fact improve your data security, by leveraging the security infrastructure of a reputable firm. You might look at it much the same way as visiting a major city: if you avoid bad neighborhoods and take proper precautions, your chances of being safe increase substantially. But given the potential reputational risk, brand damage and financial exposure of a data breach, paying attention to data security should become an important part of your vendor evaluation process.
About The Author
Geoff Grow is the Chief Executive Officer at Service Objects, a contact data quality firm founded in 2001 that has now validated over 3 billion contact records.