Currently the corporate world focuses on curbing data breaches but the element that many companies overlook from the point of cyber security is the relationship with the third party vendors and contractors such as software outsourcing companies in India. The current trends of outsourcing in today’s rapidly evolving global economy has raised a whole new set of risk management concerns for companies in various industries. It has been a very evident fact that most of these data breaches are a result of involvement of third party relationship. Cybercriminals exploits vulnerabilities in third party’s network thus gaining access to the company’s confidential information. The current examples of such exploitation can be traced to incidents at Goodwill, Bank of America, AT&T, AutoNation and Lowe where cyber-attacks took place. The loss does not limit financially but also causes loss in confidence of a customer mind thereby creating a prolonged reputational damage.
A number of reports show that the breaches linked to outside contractors is very alarming. As per a 2013 PwC report, 63% of global data breaches were traced to a third party element in the company’s administration. The report further states that only 32% of the organizations emphasized that the third party vendors comply with the company’s cyber security policies. Some other alarming facts were 69% of the companies were unable to produce an accurate record of the places at which their data was stored and 74% did not have a complete inventory of the third party suppliers that handle employee and customer data. These statistics are enough to prove that the loopholes left behind are too much for a cyber-attacker to exploit it.
A company might have a very well designed cyber security policy internally but when it comes to dealing with the third party providers like outsourcing companies there is a clear tendency of them letting this strict guidelines loosen a little. A company should not afford to take matters of such intensity lightly. Thus, it is of utmost importance of holding the third party entities to comply with the same set of cyber security standards and protocols that are a part of the company’s internal security framework.
The Importance of Third-Party Management Agreements:
This forms an important aspect as part of third party risk management process as it forms the right contractual and governance protections in place required when engaging with any supplier. This agreement is known as Service Level Agreement (SLA) and is considered as one of those essential tools that help in mitigating a company’s risk. When under a contract with third-party vendors one must clearly define the security procedures and policies to be complied during the tenure of contract. Also the liability and indemnification provisions that correspond to the value of data must be included. A company must not consider only how third parties manage cyber security but also how the relationship with these service providers such as software outsourcing companies will expose data and increase risk for itself.
There are certain ways to increase the effectiveness of SLAs:
An organization must include detailed security assessments and internal cyber security experts which help them gain an understanding of supplier’s processes and the security tools. This also helps in identifying any gaps or any vulnerabilities existing in the process. To know how efficient a supplier is one must analyze how the supplier handled any past cyber security incidents and what steps they undertook to improve their operations. To have a glitch free process an effective SLA must focus on key elements such as:
Definition and analysis of specific threats and risks
Compliance requirements range
Foreign corrupt practices management
Internal audit and monitoring terms
Any SLA requires the contractor to comply with relevant regulations and it also needs to be specific regarding the timeframe for reporting of a data breach to the company. The terms and conditions must be mentioned explicitly so that no misunderstanding take place regarding the company’s expectations and requirements. There should also be a provision in contract to accommodate the new laws and regulations that may take effect during the tenure of agreement.
Taking Responsibility for Third-Party Risk
Many companies do not have in-house staff with necessary expertise to properly assess the vulnerabilities for networks, systems and databases or negotiate SLAs with third party contractors. The responsibility for ensuring safety of cyber security assets lies with the company that hires the third party and not the software outsourcing company. There are some regulations that hold the service provider liable but the principal company should not have a perceived conception from start and must plan accordingly.
When dealing with such risks one must have a system that allows the company to address security with suppliers on both an individual and a case-by-case basis. Response to security incidents should be dealt with utmost priority and strategic decisions should be made keeping the impact on overall cyber security risk management program.
Summarizing this, outsourcing has become a billion dollar industry but many companies neglect the cyber security risks associated with it. This article discusses the management of such risks that a company should take into consideration before getting into a contract with a software outsourcing company in India.
Being aware and proactive will help in ensuring that the risk associated with your software outsourced to software outsourcing companies is kept to a minimum.
Courtesy: Bhavesh Bulchandani