How you can help mitigate third party breaches
Getting your own cybersecurity right is enough of a challenge, as a number of our previous blog posts demonstrate. Preventing breaches of your own network is a complex process of instilling good practices, using the right tools, and making staff invest in the value of cybersecurity. It’s a process that requires buy-in from everyone in the company, and often cooperation with a dedicated IT service provider.
Unfortunately, not all companies take cybersecurity as seriously. Using third party services such as cloud software is an investment of trust, and one which can expose you to risks that may be hard to protect against. Mitigating these risks means making assurances about the security provisions of these services, taking precautions, and not taking anything for granted.
What are third party services?
Third party services are any online services that are not operated and hosted by your organisation. This includes obvious examples of major software such as Microsoft Teams or Google Docs, but also smaller and more industry-specific services, such as file storage, project management or accounting tools. Any software which you use online or which has an online component is a third party service, and could pose a security risk.
Third party services also include services which are offered by other businesses, whether conducted in-house at those businesses or entirely in the Cloud. This might include an outsourced payroll company, a marketing agency, or an HR firm. Any business or service that involves the storage, processing or transmitting of your data poses a risk to that data – and this risk should be factored into your cybersecurity provisions.
Why are third party services dangerous?
Third party services aren’t inherently dangerous, but they represent an unknown. When it comes to your own cybersecurity, you have certain guarantees: you know what steps you’ve taken to protect your systems and mitigate risks. When using a third party service, you are often taking those things on faith. If you do not have specific and convincing assurances about another business’ cybersecurity, any data you give them could be at risk.
Perhaps the greatest danger of third party services is that many of us barely stop to think about the data that we are giving away, or sequestering outside of our own systems. Even if you don’t choose to save a file on a third party service, they may have a backup of what you’re working on, in case you lose your progress. They will also likely collect data about you and how you use that service, which could be used to identify you.
The most obvious risks are when you are actively storing data on third party services, such as file sharing websites. In the event of a security breach of these platforms, your data could be vulnerable to being accessed by malicious actors. This could lead to your information being stolen and even ransomed, or simply the loss of your data. As well as the financial risks involved from lost time and data protection laws, such a breach could also reflect negatively on your security protocols, and subsequently your reputation.
For example, imagine if you used an online file sharing service to send a database of customer details to your colleague, and this service experienced a data breach. Your customer’s personal details would then become freely available on the internet. This would not only jeopardise your working relationship, but expose them to a cascade of the same financial, productivity and data protection risks.
How to securely use third party services
It’s essential to ensure that third party services won’t pose a risk to your company’s data. Thankfully, you can achieve this by following a few simple steps:
- Do your due diligence. Before using a new third-party service, ensure they are legitimate by reading a range of reviews. This should not only include reviews listed on their own website (as these could be made-up), but also on external websites such as Google or Trustpilot.
- Check their security policies. Most service providers will be aware of the importance of assurances on cybersecurity, and will have a page detailing their security provisions. The absence of any information about cybersecurity is a red flag, and more research should be done to obtain guarantees on this, including contacting the company behind the service.
- Find out what data protection regulations they are compliant with. Again, most services will have a page detailing their data protection measures, including whether they are compliant with GDPR. If there is no mention of GDPR, you should take care to compare their provisions with what is required under GDPR, and ask questions to obtain guarantees on anything that may be missing or unclear.
- Hold regular security audits of the third-party services you use. The security provisions of third party services can change, as can the laws you need to abide by. Make sure to regularly review the third party services you use to ensure that they remain compliant, particularly if there is a major change to data protection law.
- Always protect your accounts with strong passwords and multi-factor authentication. This helps verify a user’s identity to ensure only authorised users can access resources such as applications and accounts.
It is also important to implement:
- A virtual private network (VPN). VPNs create a secure connection when accessing company data, and are particularly important over public wifi connections. A VPN creates a safe tunnel for data to pass through from your device to the third party service, ensuring that your data is not compromised en route, casting the security of the third party service into doubt. They are ideal for employees who are remote working in order to provide a layer of security off-site.
- Encrypt your data and make it safe while moving it between users, systems, and devices. Encryption protects the data on your computer and networks, reducing the chances your organisation will suffer data breaches – and lessening the impact of a data breach if one does occur.
Secure third party applications and services can enhance collaboration among employees and improve productivity, whether they’re working at the office, from home, or at another off-site location.
With many platforms now making it easy to share all your digital assets in one place, ensuring everyone can find the information and data they need, this heightens the need for strong cybersecurity protocols – both on your side and that of the service provider. To learn more about cybersecurity and using third party services safely, get in touch with Sota today.