Solutions Blog

How to Mitigate the Risk Third-Party Providers Pose to Security

 

Fortune 500 technology giant General Electric (GE) recently disclosed that one of their service providers experienced a security incident in which personally identifiable information (PII) of current and former employees and beneficiaries was exposed. This is the latest in a LONG line of third-party breaches going back to at least 2013, yet most companies still do not have adequate third-party controls. What, if anything, can businesses do to help ensure their valued partners are not setting them up for a major security breach?

 

In 2013, a Target breach resulted in a loss of 70 million customers’ data. Though certainly not the first of its kind, it was at that time the largest. Yet it seems that, in the seven years since, corporate America learned nothing from the Target breach. In that time, approximately 163 breaches have occurred, with the number of companies, hospitals, schools, city governments, and other organizations affected totaling well over 200. In some cases, the same third party was responsible for over a dozen breaches, yet is still heavily used by numerous entities.

 

With the advent of the California Consumer Privacy Act (CCPA), as well as other state privacy laws, the need for adequate third-party security evaluations has become more important than ever. Companies must take greater action to ensure their third-party service providers are providing an adequate security environment for the data with which they are entrusted. This includes a greater level of due diligence than just a questionnaire. Third-party providers must also take steps to have an independent assessment and certification of their security processes. The most common of these is the AICPA’s SOC 2 Trusted Criteria assessment, although an ISO 27001 certification or other independent security assessment certification against an accepted security standard will help provide a level of assurance that security controls are in place AND fully operational.

 

GDT’s Advisory Services practice can assist our clients in preparing for these assessments by providing gap analysis assessments, developing a remediation plan to achieve compliance with many of the security frameworks and regulatory requirements such as CCPA, GDPR, ISO, NIST, and others. We can also assist in developing a security roadmap and strategy to ensure continued regulatory compliance, and provide guidance in the selection, implementation, and operation of security products and services to maximize your security program’s effectiveness while optimizing its cost.

Categories: ,
Share on linkedin
Share on twitter
Share on reddit
Share on facebook
Share on email

Learn more about How to Mitigate the Risk Third-Party Providers Pose to Security by filling out the form below:

More Cloud, Less Cost

What may be the best kept secret in tech is that GDT Partner NetApp, who is well known as a longstanding leader in storage technology with over 27 years of innovation and 30,000 worldwide customers, is incredibly capable of helping you use more cloud for less cost.

Read More »

Securing 5G Infrastructure

Every generation of telecommunications networks brings faster speeds and innovation, and 5G is no exception. Billions of devices are already connected through 5G, which means it’s critical to our future that we ensure that 5G is both resilient and secure. The Cybersecurity & Infrastructure Security Agency (CISA) works with government and industry partners to do just that. Here are the five strategic initiatives they are undertaking to advance the secure and resilient deployment of 5G infrastructure.

Read More »

SecureX is the X-Factor in XDR

While the term “XDR” may be new, the technology is not. At least not to Cisco, whose SecureX threat response technology has offered XDR capabilities to over 10,000 customers for several years.

Read More »