Drawing the Line Between Your Company's Security and SECaaS
This article originally appeared on Oct. 21, 2015, and has been revised to bring our readers the most up-to-date technology information.
Looking back at the past 12-18 months, we know business partnerships have risks. Goodwill, Home Depot and Target are proof. They were all breached through a third-party vendor. According to the Ponemon Institute, 65% of companies that reported sharing customer data with a partner also reported a subsequent breach through that partner.
Co-opetition is here to stay. We’re seeing it more and more. The question is: How will you secure the data you’re mixing with your competition’s information?
Third-party threats to your data
No matter what type of organization you are: third-party vendors impact the security of your organization. Some do a great job at security. Others don’t. And most companies don’t know how (or if) third parties protect their data. Do you know who is handling your data?
There are a number of third parties that handle your confidential, sensitive business information, including encrypters, data collectors, IT pros, coders or code reviewers, data transmitters, data backup companies, cloud security, data destruction companies … and the list goes on.
And guess what? Data sovereignty, bring your own device and choose your own device, business and healthcare compliance and regulations, and laws across national and international borders add to the challenge. And they’re not updated at the speed the risks are evolving. Consequently, the third-party role is evolving.
The evolution of security services
Security threats used to come from malware measured in days, weeks and months. Now it’s measured in hours, minutes and real time. It’s no longer possible to protect your organization alone in this age of rapidly expanding networks, emerging Internet economy and mobility. That’s where specialized security vendors came into play and offer Security as a Service (SECaaS).
You can choose to take a hybrid cloud security path or go direct to cloud. In the latter, you’ll have to identify where the line between your company’s and SaaS provider’s security practices is drawn. Who is going to make you less vulnerable versus managing security on your own?
According to PwC, The Global State of Information Security Survey 2014 (September 2013), 82% of companies with high-performing security practices collaborate with others to achieve advanced security and threat awareness.
While business partnerships create a better marketplace — from giving customers a simplified, more valuable experience and growing your base of customers, to increasing Average Revenue Per User and customer loyalty — they’re prone to breaches through third-party vendors — that is unless your third-party vendor’s expertise is security.
That’s why it’s critical co-opetition partnerships have clearly defined roles and responsibilities when it comes to protecting data. Know what your partner’s security strategy is and what they do to maintain that security. To find out, ask these questions:
- What have they done to ensure a secure environment?
- What risk-assessment exercises have they performed to identify vulnerabilities?
- How often do they perform risk assessments?
- Can they accommodate for the compliance requirements that apply to your business model, such as payment card industry regulations?
- What is their remediation plan?
- How will they ensure their own business continuity in the event of a breech or incident?
There needs to be a clear outline of the data loss prevention plan, including a clear definition of whose responsibility it is for protecting the shared environment — who owns what burden, and where is the responsibility and liability line drawn?
Security is not one-size-fits-all. Insight offers custom solutions and services to meet your security needs and keep you critical assets protected. And we partner with more than 3,600 software, hardware and cloud specialists that we’ve vetted for the best security practices.