The instinct to avoid responsibility starts young—most of us learned early on, for instance, that the primary benefit to having siblings was gaining a convenient scapegoat. But while companies have gotten into the habit and privilege of outsourcing everything from code to systems to avoid responsibility for them, there is simply no such thing as outsourcing risk. And here’s what that means for your business:
Risk is Regulated
There was a time when regulations had no bite: they existed but lacked the punishments necessary to garner serious adherence. Now, with data loss causing exponentially more damage each year, the consequences for data loss are nothing to smirk at; the MD Andersen Cancer Center was fined $4.3 million as a penalty for violating HIPAA privacy standards, and they’re simply one instance among many.
There’s no longer any avoiding responsibility that corporations are to be held accountable—whatever illusion of denial we operated under was swiftly crushed by the deluge of emails necessitated by GDPR. And it’s not just the European Union declaring that companies are responsible for the data they collect (with hefty penalties for non-compliance): the Payment Card Industry Data Security Standard pins the responsibility of accepting, processing, storing, and transmitting credit card information on merchants, the Federal Deposit Insurance Corporation outlines specific rules and regulations for managing third-party vendors, the U.S. Securities and Exchange Commission prioritizes cybersecurity in every examination program to ensure the safe operation of markets, and there are many, many more examples. Every business relies on customer data to operate, which means that every business is responsible for protecting the data with which they have been entrusted, including your third and fourth parties.
The Complexity of Interdependency
Every business is forced to interact with and employ vendors, which necessitates data transactions. This exchange is akin to trusting your child with a babysitter—though the babysitter may, unbeknownst to you, have an affinity for knife-throwing, your child’s safety is ultimately your responsibility: it’s your job to run a background check on the babysitter and make sure she or he has the proper certifications and first aid training and isn’t preparing to use your baby as a target on a knife-throwing wheel of death.
Managing data after it’s left your immediate jurisdiction is complicated, though; it’s difficult to gauge how someone else will handle your data, regardless of what your contract might say. And hackers know that—that’s precisely why they use vendors to gain access to valuable data as a path of least resistance. Consider, for instance, hackers that target construction companies preparing to bid on a high-profile project: a competing construction company could try to, “...steal intellectual property, commit invoice fraud, or obtain valuable information about a high-profile project and pass it on to a rival.” While the hacker is certainly committing a crime, it’s the high-profile company that’s responsible for the leak of data, not necessarily the construction company that was granted use of that data (though they just lost a client). The onus of responsibility always lies with the owner of the data. Systems and infrastructure can be outsourced, but risk cannot.
Even the most well-funded military in the world isn’t immune to attacks through third-party vendors: Chinese hackers gained access to U.S. naval secrets through their contractors. But the contractors aren’t to blame—the U.S. government is. In fact, every time customers have been informed their data was stolen, their anger is with the originating company (Home Depot, Equifax, Marriott, etc.), not with the contractor that was the weak link in the digital infrastructure. Those customers know not to blame the babysitter: it’s the parents’ fault.
What’s to Be Done
It’s clear that risk can’t be outsourced, so stop trying. Accept that if you allow a vendor to become a steward of your valuable data, your risk surface is extended to include your vendors—vendors are simply an extension of your own team. With that shift in mindset, the next step must be fully understanding your risk and risk surface. Utilize cyber risk management tools to gain a real understanding of your vendors’ security. The best cyber risk management tools will not only give you a list of vulnerabilities but will prioritize those risks so you can address the most impactful issues and their root causes first. If you have the luxury of not releasing customer data to your vendor before the vendor’s risks have been remedied, do so; otherwise, if it’s an established relationship, quickly remediate the largest risks first.
Extending Responsibility
Enterprises clearly hold responsibility for data, and numerous regulations outline responsibilities and consequences for protecting that data. Gaining objective information through cybersecurity ratings about a vendors’ performance isn’t a way of punishing a vendor, but rather an indicator of how capable they are of protecting your data as an extension of your business.
In this worldwide digital infrastructure, safeguarding against threats ultimately benefits everyone, from customer to enterprise. There is simply no outsourcing risk, so the sooner assessing and securing vendors become an integrated part of every company’s cyber risk management processes, the sooner we can experience a safer world for data.
About the author: Kelly White is the CEO and founder of RiskRecon, which is one of the world's fastest-growing cybersecurity risk rating company, serving a broad spectrum of enterprises across the globe, including six of the top ten US financial institutions. Kelly is the creator of numerous cybersecurity algorithms and patent-pending technology. For more information, go to https://www.riskrecon.com/.