At the start of this year I wrote a blog entitled “What CIOs should be doing about security in 2008” listing the top key security topics for CIOs to be thinking about this year.
Number two on my list was Security of third parties and partners. This advice is validated by a report (PDF download) just released from Verizon which finds that 39% of data breaches (out of a study of more than 500) over the past four years involved business partners.
A difficult question to consider is what to do when such an incident occurs. Do you simply drop the partner and find a new one? That’s not going to be easy if there are a lot of business processes and systems tied up in the relationship, not considering all the other political and contractual aspects likely to be present.
I don’t think there’s a simple answer. Probably best in the first instance to discuss the situation with the partner. If they are willing to be open and honest about the nature of the incident and the subsequent actions they’ve taken to fix vulnerabilities then that’s a good start and at least indicates their acknowledgement that they take what’s happened seriously.
Consider also your own processes. How far did you go in ascertaining the partners security prior to forming the relationship? I frequently find that we are simply not very good at asking partners the right questions – in fact, the process falls over from the start because the information security team is probably not even consulted before the contract is signed.
We need to stop being coy about asking probing questions about the systems and processes our partners use. I ask almost the same set of questions that I use to ascertain the risk status of one of my own companies business units.
Unfortunately the Verizon report is rather fuzzy when it comes to making any recommendations on this subject but that’s not to be critical of the work that went into creating it. The facts and figures speak for themselves.