Extract from article by Alan Friel
In our 2017 Data Security Incident Response Report, we found that of the 450+ incidents we worked on last year, network attacks that succeeded due to vendor wrongdoing were significantly more common (15 percent) than those due to employee wrongdoing (9 percent). Vendors were also found to be the cause of technical and security failures and lost/stolen devices or records. Indeed, some of the highest-profile breaches to date have been traced back to vendors (e.g., Target 2014).
Organizational obligations regarding data privacy and security extend not only to the data in a company’s possession, but also to its data in the possession of a third-party service provider or business partner. Outsourcing information processing to a third party, or sharing data with business partners, does not relieve an organization of its privacy and security obligations. For instance, businesses need to scrutinize the security measures of the outsourced providers with which they contract and the providers’ in-place measures – contractual and otherwise – to respond to breaches.
Management of vendors is one of the seven recommendations in the report for minimizing your data privacy and security risks, and we provide you with key questions to ask regarding your vendors and data protection.