Most organizations fail to manage risks associated with sharing data with third parties –

David Geer recently spoke with Jose Granado, CISSP-certified and a Principal and Service Delivery Leader at the Security and Technologies Solutions Practice for Ernst & Young. Mr. Granado will be addressing findings on third-party data sharing risks from a 2006 Ernst & Young survey, "Achieving Success in a Globalized World: Is Your Way Secure?", which tallied the views of 1,200 senior information security professionals from 48 countries. Following is an edited transcript of that conversation.

You may listen to the original interview here, or visit our Podcast Center for more audio interviews.

David Geer: The survey found that over half of organizations are failing to manage the risks of sharing data with third parties. What kinds of third party data sharing risks are we talking about?

Jose Granado: There are numerous risks that are associated with third party data sharing. Take, for example, the scenario where you have an employer, an employee, and then a third party, say, managing your medical benefits, 401K or perhaps your corporate travel program via the web. A poorly constructed website or web application from a security perspective could allow an individual access to backend database containing employee personal identifiable information, or PII, as we say in the industry. Obviously, this could have grave consequences with regard to your specific perception in the corporate world as far as protecting data. Or, the scenario that we've seen recently in the news involving stored data in stolen laptops or lost backup tapes by third parties, which contain customer information is very grave as well. And then there's always the insider threat risk. Just like many organizations, whether it's a third party organization or a typical company, there's always a potential for employee misuse of data and authorized access of data. So, the risks of unauthorized access, unauthorized disclosure, and potential misuse of data really exists in a variety of formats and scenarios.

Geer: With particular reference to the results (i.e., that over half of organizations fail to manage these risks), what about that specific data result surprised you?

Granado: It is somewhat surprising because it's intuitive to me that you would want to manage the risk of your vendors. Any time a vendor is connecting to your company, to your enterprise, they are an extension of you. But from the practical side of things, and from the business side of things, the results are not surprising. Typically, vendor risk management is handled in a piecemeal approach, if at all. And larger organizations are driven at the business unit level where business unit IT teams or IT security teams are enabling data sharing and connectivity with vendors. And so you have one BU hooking up with a vendor for a specific business need and perhaps you have another BU hooking up with a separate vendor in a different fashion, and those vendors are managed differently. This is an issue that really needs to be addressed holistically, but oftentimes it's difficult to find someone within the organization who is the access czar, so to speak. And the managing component, whether it's the network team or the IT security team, sometimes those lines are very gray, and it makes it a very difficult situation to manage.

You're only as secure as your weakest link, and these vendors and your suppliers are truly an extension of your enterprise. We're starting to see a mindset shift, but I don't think it's [happening] quickly enough and the mindset that needs to be prevalent is the trust-but-verify approach. It's not good enough to be shown a policy document on IT security or a network security architecture diagram. You need to independently validate the security posture of any organization you will be connecting to so that you can properly assess the risk to your enterprise and then provide adequate course correction to mitigate your risks. A recent survey looking at consumer reaction into company data breaches showed that customers might forgive a company once if data is compromised and the company itself was handling and managing the data, but they would not forgive organizations that outsourced the function and data handling, even if it was the first breach from a data perspective.

Geer: Can you give us any data points about the kind of impact that we're already seeing?

Granado: I think we are really starting to see some tangible impact with regards to data points. And I think the two themes I'd like to talk about are the customer and compliance.

From my perspective, there is a higher expectation of data protection within the customer. And there is another study out there that talked about customer churn with regards to loss of data and data breaches and those percentages increasing quite a bit over the last couple of years. So there's a definite monetary impact. Then, there's the intangible impact of brand reputation and the cost associated with that and reliability that is also starting to increase. And that's sometimes difficult to put a number to that, but it certainly has a business impact to it. From a compliance perspective, we've seen a lot of laws out there at the state and federal level. I believe over 34 of our states to date have data breach notification laws, and if you recall this all started back in California a couple of years ago, and now 34 of our states have some kind of notification laws, and I would venture to say that pretty much within the next one or two years I think every state will have some kind of law.

So, a lot of impact with regards to customer loyalty, with regards to customers voting with their feet and switching retail or banks or what have you, and then with the increased compliance on laws I think this kind of issue is really starting to have a significant impact. And, again, I think the way the customers are looking at it is I'm giving you my business or I'm giving you my money. Whether you outsource it and it was the outsource organization's issue or yours, it's your job and I expect you to provide the appropriate level of due diligence and protect my information and my data, and if you don't, I'm going to take my business somewhere else.

Geer: What are the top five things companies should do immediately to begin to manage the third party data sharing risks?

Granado: First and foremost, companies should adopt a trust-but-verify model with all their third party vendors and suppliers. It's great that your suppliers are managing their own risks and that they can show you that vis-

This story, "Most organizations fail to manage risks associated with sharing data with third parties" was originally published by ITworld.


Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon