Threats to your company’s data don’t just come from vulnerabilities in your own network. Any third-party company that holds your data can also create new risks.
That’s the lesson that was learned the hard way by antivirus vendor Symantec. The company recently confirmed that hackers had stolen parts of the source code to two of its older products.
However, a spokesperson revealed that Symantec’s own servers weren’t hacked, but rather the code was stolen from a third party. Specifically, the data was taken from a server owned by the Indian government, where it was likely held because Symantec was required to submit source code as part of an agreement with the country’s defense program.
According to Symantec, the stolen code was four or five years old, which means it probably won’t help the hackers do any real damage.
However, the age of the data also raised the question of why the Indian government held on to the files for so long.
As hard as IT departments work to keep their own networks secure, as this story shows, data can also be at risk any time it’s placed in another organization’s care. And with the rise in cloud computing, more companies are having to consider the risks third-party networks pose to their critical information.
Here are some steps experts recommend to keep data secure when it’s held by an outside organization:
- Verify security practices — It’s important to know what steps third parties take to protect their clients’ data. That includes what technical controls are in place, as well as how the company vets its employees and enforces security policies.
- Establish liability — Contracts should lay out what happens if your data is compromised while on the third party’s network.
- Validate — The contract should also give your company a way of validating that proper security measures are in place, such as the ability to conduct audits or site visits.
For more tips on protecting your company’s data from another organization’s vulnerabilities, read our earlier post here.