As companies continue to explore new outsourcing and cloud services models in search of improved cost and productivity efficiencies, service providers are being asked to handle increasingly sensitive types of data. However, some customers are not seeking heightened security measures from their vendors to safeguard this sensitive data.
A recent study by Gemalto regarding The State of Payment Data Security provided some telling examples. More than half (55%) of the IT security practitioners surveyed did not know where all of their company’s payment data was stored or located. 59% of the responding IT security practitioners said that their companies allow third-party access to payment data, but, of those, only 34% require the use of multi-factor authentication to protect such data. The study also found that less than half (44%) of those surveyed use end-to-end encryption to secure their payment data.
This was emphasized recently in the Online Trust Alliance’s (OTA) 2016 Data Protection Breach and Readiness Guide, where the OTA included among its key lessons the important reminders that “security is beyond your walls” and that the level of protection required for data should be determined by taking into account the nature and sensitivity of such data.
In keeping with this concept, companies should be looking to develop comprehensive vendor risk assessment programs to make sure their sensitive data is protected, even when outside of their immediate control. An effective risk assessment program is an ongoing operation and should include:
- understanding the nature of any data which a particular vendor may be able to access or store;
- conducting risk assessments as part of the vendor selection process prior to awarding a contract;
- making vendor security capabilities part of the key decision criteria for any RFP or other selection process;
- requiring robust and specific data security protections within the contract itself; and
- continuing to review vendor security practices and to assess compliance with contractually-mandated measures on a periodic basis over the term of the entire vendor relationship.