“It’s so hard to find good help these days,” is something that more and more companies are saying when they’re looking for cybersecurity talent. It’s estimated that 80% of organizations face a shortage of workers who specialize in cybersecurity. The reasons for this gap are varied, including the fact that new technology like cloud computing and IoT devices require different security protocols that individuals might not be trained in. In addition, more complex computer systems might require a lot more personnel than a company can reasonably hire. This is why many are outsourcing the entirety of their cybersecurity processes to third-party firms overseas.
The problem, however, is that when your firm outsources your cybersecurity to another company, you must give them a lot of access. That firm is going to have control of your customer’s data and sensitive information. In some cases, they may even have access to proprietary source code. There are significant risks to be had and more than a few horror stories exist from these outsourcing contracts going very wrong. To avoid this, your company needs to practice extreme vetting of not just the people you work with, but the companies you outsource to as well.
When Outsourcing Goes Bad
In 2002, a CAD/CAM company chose to outsource their IT security to India. As a precaution, the company required that all employees involved in the contract sign non-disclosure agreements. So, when a few disgruntled employees took off with their source code, they thought they were covered. As it turns out, they weren’t. In India, those non-disclosure contracts were unenforceable. There was no law in the country at the time regarding the theft of intellectual property. Consequently, the company had to jump through many hoops to stop those employees from selling their source code, the most important part of their business, on the open market.
If you’re outsourcing to third-party companies, that’s something you need to be aware of. The non-disclosure agreements you have those other companies sign are often unenforceable. That means if employees of that company choose to sell your data, you’ll have little to no recourse.
Your only choice is to be proactive. The security of your data is of the utmost importance, but when you put that security into third-party hands, you’re running a really big risk. To reduce that risk, there are a few precautions you need to take. Most crucially, you need to practice extreme vetting at an enterprise level.
How Deep Vetting Works for Entities
When you start the proposal process to find a third-party IT security vendor, most likely you’re going to focus on the lower bids first. That’s a mistake. Often, when a low bid comes in from an outsourcer, the only way they can afford to work for what they have offered is to cut a lot of corners.
Instead, you want to look at the companies who make themselves the most transparent. The proposal they send shouldn’t be based simply on a vague idea of where your data will be stored and the number of employees working with that data. This proposal should also offer you in-depth information on the team leads for your account, including resumes. When you find the company you like, it’s not just a matter of accepting their proposal. Instead, you need to ask for more information.
That information should include the information of every person who will have access to your sensitive data. In addition, you should know exactly where the servers that host your data are located. This allows you to begin extreme vetting of that company, because you’ve broken their major project down into its various parts.
Now is the point where most companies outsourcing their third-party data will simply ask those individual employees to sign non-disclosure agreements. But this is actually the point where you should focus on using tools like Remote Risk Assessment (RRA) to ensure that your vetting process is actually as thorough as it needs to be.
Using RRA for Extreme Vetting of Entities
The problem most have with extreme vetting of entities is that of individual threat. A company might be incredibly reputable, but there’s a chance that one of the hundreds of employees who will work on your account won’t be. Is it possible to run background checks on every one of those employees? No, and the onus of those background checks shouldn’t be on you, but you could certainly insist on deep vetting of those employees who will be working on your account. For that to work you will need an automated, easy-to-deliver tech that gives you highly accurate results—precisely what RRA is.
To manage the hiring of a third party on an individual level, you need to look at the company’s own hiring practices. If they do background and financial checks, then you’re off to a strong start. But you can take that a step further using RRA.
With RRA, you can assess for risk of those third-party employees with an automated, short interview, taken via phone. Those employees can be asked yes or no questions that are important to you, like, “Have you ever sold company data to a third party?” Their answer is analyzed using proprietary technology and if risk is indicated, the file can be flagged for further investigation.
This process will help you develop a risk heat map of where the highest and lowest risk employees are. A deal with high-risk organization can be declined, while you move on to lower risk third-party vendors who will keep your information secure.
AC Global Risk offers RRA as a solution for companies working with overseas vendors because we know that, in many cases, the laws in those countries may not protect you or your data. The only way to really protect your company’s sensitive information is to be proactive by implementing extreme vetting of the third-party companies you choose to work with. For more information on how RRA can reduce your risk when using third-party vendors, contact us today.