Employees are often considered the weakest link in the security chain. For this reason, many organizations focus their efforts on educating, training and implementing protocols for their own staff when evaluating data privacy plans. While internal threats are certainly a tangible concern, this internal-focused approach fails to recognize another leading cybersecurity threat: vendors.
A study conducted by BlueVoyant reported that four in five firms have suffered a cybersecurity breach caused by a third-party vendor in the past 12 months. Supply chain breaches — when a hacker infiltrates an organization’s system via their outside provider — are becoming a common occurrence. A recent breach, which has been deemed one of the most sophisticated, complex and damaging attacks of all time, was a result of hackers gaining access to numerous government agencies and corporations via the third-party IT provider SolarWinds. It doesn’t stop there. The list of big-name brands that have fallen victim to vendor-related breaches continues to grow.
Whether your organization works with an external vendor to outsource IT services, legal services solutions, human resources, marketing, or finance and accounting, ensuring the privacy of your (and your clients’) data should always be your top priority. Although this isn’t a substitute for a full-fledged vendor security assessment program, today I’m sharing the minimum considerations that should be taken when evaluating a new vendor or revisiting an existing vendor, along with examples of how Ricoh eDiscovery maintains each cybersecurity control.
What are you agreeing to?
When striking a deal with a new partner, companies must review all considerations related to data collection, protection and storage. In a previous blog post, we covered the basics of terms of service for individuals, though many of the same principles apply to corporate agreements.
Before signing a service-level agreement (SLA) with a new vendor, ensure the security of your data by asking (at minimum) the following questions:
1. What is the vendor’s reputation?
If the vendor often changes management or ownership, keep a watchful eye on their organizational and policy updates. Research whether the vendor has been subject to any regulatory enforcement actions. If they have engaged in litigation related to data privacy issues, that should serve as an immediate red flag.
Best Practice: We utilize the services of BitSight to continuously evaluate and report on the security ratings of our vendors.
2. What data will the vendor access to?
Only share the minimum amount of information needed for your vendor to fulfill their contract. This will limit the amount of data that could be exposed should a breach occur. Exercise caution when sharing personally identifiable information (PII) such as addresses, billing details and personal records.
Best Practice: We treat all data received from clients as restricted data and thus apply the highest level of security controls.
3. Who can access the data?
Clarify which permissions will be granted and to whom. This includes both the vendor’s team as well as any other potential third-party subcontractors who may be engaged to outsource specific services. By using vendor privileged access management, you will be able to supervise who is accessing your organization’s data and when.
Best Practice: By employing the principle of “least privilege” to client data, we give users the minimum level of access or permissions required to complete their job function.
4. Where will the data be stored?
Determine whether your organization’s data will be stored on premise, at a data centre or in the cloud. Next, find out where the data will be hosted and whether the vendor can meet your geographic residency requirements.
Best Practice: At Ricoh, we utilize geographically redundant, Tier 4 (IV) data centres which means we host data in two different locations. This way, if an incident should occur in one location, it will not affect the operations of the second location. We also use Microsoft® Azure™ Cloud to host data securely. By default, all data is held within Canada but, with the worldwide reach of Azure, it can be held in most jurisdictions if specifically required.
5. How will our data be protected?
It is essential to understand the vendor’s user restriction and access rights. Determine whether the vendor will encrypt the data, require a VPN for access and enforce two-factor authentication. Your vendor should also routinely perform risk assessments to test their hosting environment.
Best Practice: We encrypt data at rest and in transit, require secure access to all client data and employ two-factor authentication where possible. Risk assessments of hosting environments are performed on a regular basis.
6. How and when will our data be destroyed?
Ask the vendor about their data retention policy. Just as holding on to more data than needed can increase the severity of an exposure, the longer data is kept can also result in a more disastrous breach. Ensure your SLA states your organization’s data will be deleted should the contract be terminated.
Best Practice: Upon completion of a project, we delete client data from our systems 30 days after services have been terminated or 180 days after the last shipment of deliverables.
7. What is the vendor’s Disaster Recovery Plan?
The vendor should have a documented and structured strategy to handle a disruptive event such as a breach, natural disaster or pandemic. This Disaster Recovery Plan should be part of the organization’s larger Business Continuity Plan. There should be evidence that this plan is revisited and updated on a scheduled basis.
Best Practice: The Ricoh eDiscovery Business Continuity Plan and Disaster Recovery Procedure is adopted to facilitate a full recovery of client-facing environments with a 72-hour recovery time objective. We utilize geographically diverse data centres with the ability to operate out of the secondary facility if the primary facility is unavailable. Employees are also geographically dispersed and access the environment remotely through secure means so incidents in one geographic location will not affect our team’s ability to maintain system performance.
8. What is the vendor’s security training process?
In addition to their Disaster Recovery Plan, it’s essential to understand how the vendor’s team is trained.
Best Practice: At Ricoh eDiscovery, security training is required for all employees and contractors upon hire. Annual security training re-certification is required for each employee and contractor. The Human Resources team, in collaboration with the Security Team, designs and delivers the training program. Ad-hoc campaigns are additionally conducted to spread security awareness, including individual responsibility to report suspicious events, potential phishing mails, unauthorized access and more.
9. How does the vendor vet third-party vendors?
Much like you are doing here, the vendor should have an evaluation and approval process for their prospective vendors. The weakest link philosophy applies here, and you do not want to have a failure down the line as a result of your own issues.
Best Practice: We generally require a prospective vendor to complete a Cloud Controls Matrix from the Cloud Security Alliance and only approve the vendor once this is reviewed and the security team is satisfied. A modified version of this questionnaire is required on a scheduled basis to ensure all protocols are maintained and any emerging issues are addressed.
Do these policies align with your own?
Once you have gathered the answers to the above questions, reflect upon whether these policies align with your organization’s. The vendor’s standard of care for privacy and security should support your organization’s own risk tolerance and expectations. Additionally, the vendor’s protocols should adhere to any relevant compliance standards such as PIPEDA, GDPR and CCPA, especially if any of your data originates from Canada or the US.
Maintaining an industry standard certification speaks volumes about a vendor’s dedication to compliance. Working with a vendor who has a quality control or compliance certification such as ISO proves the vendor holds themselves accountable to industry best practices.
Recognize the value of your data.
These questions should help you vet potential vendors, but it’s important to revisit these points on an ongoing base. Have questions? Get in touch with us today.