IT pros don’t just need to worry about data breaches on their own company’s network – they also must protect data that’s stored by third-party vendors.
Earlier this year, a big data breach occurred at email marketing firm Epsilon. Compromised info was limited to customer names and email addresses, PC World reported, but experts warn that information will likely be used by the attackers to conduct targeted phishing attacks against individuals and businesses.
So far, 38 Epsilon clients have had to notify customers that their data had been compromised — and the security failure was the fault of someone else.
Here are some ways you can keep your own company from falling into a similar situation, according to Darkreading.com:
- Conduct a risk assessment and annual reviews – Depending on the industry and the type of data being stored by the third party, security audits and testing may be required by law. But even if they’re not, it should be done anyway. And don’t just rely on general statements from auditors and the vendor’s employees — make sure you get the technical details from actual penetration tests.
- Check what data’s being sent – One way to minimize the risk of losing data on account of a breach at a third-party vendor: Minimize the amount of data that’s held by the vendor. That means actually looking at what’s being transmitted to make sure only the necessary info is sent to the other company’s network.
- Assess transport and storage mechanisms – Look for specific details, such as how data is encrypted when it’s sent to or stored on the vendor’s servers, to see if everything complies with regulatory requirements and your company’s policies — and periodically run assessments to make sure nothing’s changed.
- Make sure an incident response plan is in place – Of course you hope that the plan will never have to be used, but your company and the vendor must know what to do in case data is compromised.