• United States




Do you know where your data is?

May 23, 20175 mins
Network SecuritySecurity

Third-party risk is very real – your company’s reputation may be in your vendor’s hands.

laptop / networked binary data flows / world map
Credit: Thinkstock

Modern businesses must be agile, flexible and innovative. Business leaders are always looking for the next opportunity and speed is of the essence. Whether they’re looking to scale up quickly for a new project, or seeking to harness the benefits of the latest and greatest technology, it’s often necessary to go beyond company walls and sign up with a vendor for new software or services.

You may have spent considerable resources to ensure that your security is strong, but what about your third-party vendors? We’ve discussed how cybersecurity is only as strong the weakest link before, but sometimes that weak link is a partner.

If you’re sharing precious data with a third-party, then you had better be sure that it’s being protected properly in accordance with your own security protocols. As we noted before in an article that received a ton of attention, the cost of a data breach is potentially very high.

Risk is growing

Last year was a record year for data breaches and the finger is being firmly pointed at third-parties. With 63 percent of all data breaches linked directly or indirectly to third-party access, according to a Soha report, this is clearly an issue you can’t afford to ignore. And yet, many companies are not taking the steps they should be to secure their data.

The number of cybersecurity incidents involving vendors is increasing, according to 73 percent of respondents to a Ponemon Institute survey, but 58 percent admit that they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach. Problems highlighted by the survey include a lack of accountability, a lack of clarity about who is responsible, and a lack of visibility into vendor practices.

In a CSO story about New York State’s new sweeping cybersecurity regulations, Brad Keller, senior director of third party strategy at Prevalent, a provider of third party risk management solutions, said, “If I’m a hacker, it’s reasonable for me to expect that it will be harder to break into a top-five financial institution, than into a medium-sized company that provides services to financial institutions. And if I get into a vendor that provides access to twelve banks, then I get access to twelve banks’ data as opposed to one.”

It’s good to see New York State taking action to regulate and force financial firms to take extra cautionary steps to ensure third parties they do business with are protecting personal data properly, but it shouldn’t require legislation. Companies should be taking third-party risk management a lot more seriously.

Do you know where your data is?

For effective third-party risk management, you must start with a clear understanding of exactly where your data resides, which vendors have access to what, and what security measures are in place to safeguard it. How tight your internal control is, becomes irrelevant if you don’t know what happens to your data downstream.

Map out your data and track its journey both internally and externally. You need to do a proper risk assessment and identify potential weak spots. Pay close attention to the location of partner data centers and examine whether they subcontract to other vendors. At the end of this exercise you should have the complete big picture of where your data is and who has access.

Formulate a strategy

Start by making it crystal clear who oversees vendor management and empower them to drive your new strategy forward. The likelihood is that you’ll need to include people from different departments, so make sure there’s no buck-passing option. Your vendor management team can begin with a critical look at your current data map to see if access can be reduced, and the resulting risk curtailed.

It’s also vital to take a closer look at your vendor agreements and contracts – what happens if a data breach does occur? You should have provision in the contract to financially punish non-compliance and compel your vendors to prove that they’re protecting your data. You’ll need your legal and compliance departments to be heavily involved here. The right service-level agreements will include provision for data breaches and should protect your company, not just from downtime, but also from legal liability.

Assess, remediate and review

You cannot, under any circumstances, simply trust your vendor to meet its security obligations. You must fully assess them. It’s also important to remember that any risk assessment you do only gives you a snapshot view of the current security state. Regular testing should be set in stone, and it’s smart to include some element of real-time continuous monitoring.

Having done an assessment and identified risks, you also need a solid plan to mitigate them. Every assessment should uncover some recommendations and provoke some action that tightens your security.

Remediation must also be fully audited, so that you can ensure the suggested actions have been taken. This process needs to include the option to terminate agreements when the vendor is not in compliance.

Ultimately, you need to know that your data and your reputation is safe at all times, and you simply can’t do that without a solid third-party risk management program in place.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author