Extending security to fourth parties your business needs, but doesn’t control
While there is much discussion about the data security and privacy risks created by third parties, another source of risk can be significant but overlooked: that from fourth parties – those vendors that your vendors use – who may be integral players in your mission fulfillment but who are beyond your direct contractual oversight.
Because third parties often touch customer systems and exchange data with customer staff, they introduce additional layers of cyber risk. Companies do have some safeguards in contractually imposing responsible behaviors and penalties for non-compliance, and monitoring document exchange as much as possible. Fourth parties, however, may provide a critical service but in turn extend your risk surface in ways you hadn’t understood, or, lacking a direct relationship, can’t really attempt to control.
Perimeter security typically does a very good job under the right circumstances. It provides excellent point-in-time security when content traverses a specific point of control. The limitations of this approach are well documented, however. In a world of continuous productivity, collaboration across companies and services, and truly productive mobility, it’s vital for organizations to confront this shift head-on by attaching security directly to the data itself.
For example, the delivery of industrial parts that are manufactured by a company in the United States and purchased by an organization in Asia through a third party distribution chain could be impacted by a cyber-attack on the shipping company transporting those parts overseas. If the parts can’t be delivered on time, the operational availability of the Asian company is affected. While neither the original manufacturer nor the buyer company has a direct relationship with the shipper, the shipper’s level of cyber resilience is still part of their extended risk surface.
Another example is a medical provider who submits patient documentation to an insurance company in order to receive payment for services. The insurer may share those documents with an external vendor who scans and processes them. If the processor’s systems get compromised, it could affect the medical provider’s ability to get paid or get paid the correct amount. This situation might also create significant HIPAA compliance implications – the data ‘owner’ is ultimately responsible for the data’s protection.
The complexity of modern value chains demands careful decision-making and governance of the data itself to manage what policies are most appropriate given with whom specific data is shared across multiple parties. Governance should be determined by a thorough process assessment that involves the original data owner working with its partners to evaluate what data is needed for the legitimate business purpose, what elements of that data need to be protected, who gets access to it, what kind of access – and what specific power the partner needs to give others access to it. With potentially dozens of parties in a value chain, this can get extremely complicated; so governance and policy-setting must be approached with the discipline and rigor of any other critical business process.
Even once governance policies are established, they’re not foolproof. Despite the best of intentions, any process that involves people is subject to error. Protecting sensitive data is important for the well-being of the business, but now with the abundance of new data privacy laws and regulations, the consequences of data mismanagement can be exponentially impactful.
As a data owner, you can contractually obligate your partners to uphold laws and regulations, but that doesn’t always mean they can enforce strict data protection practices with their own vendors. In the event of a breach, you as the data owner will ultimately be held liable. That elevated level of risk encourages auditing of partners with whom you share sensitive data.
There are market solutions like Data Loss Prevention (DLP) technologies that try to control data flows. DLP products are useful for detecting data breaches and exfiltration, monitoring and blocking sensitive data even when it’s in motion; however, these are mostly network perimeter solutions, rendered useless once data is in the 4th party ecosystem.
Next generation technology is approaching security at the data level, enabling real-time visibility into where specific files have gone, how many times they’ve been accessed by whom and for how long, and what’s been done with the data by those who’ve accessed it – like attempting to share it with someone else. This detailed level of insight will enable a defensible audit for third-party vendors and original data owners, and help them quickly get a handle on containing problems when they occur.
While most IT and security teams have experienced the erosion of the network perimeter first-hand, it is important to recognize that this is a sign of a more fundamental change. If we don’t properly address these underlying challenges, an organization can run the risk of building new, costly perimeters with the same problems as the old perimeter. The best approach is to design a system that can operate securely, independent of how information is shared or stored.