In a recent case involving multiple large car manufacturers, 47,000 documents were reported to have been exposed by a small third-party working with many of the large automotive brands.
Recent reports have shown that some outsourcing companies may not be protecting shared data as well as they should be. Organizations should be more vigilant in ensuring that their business partners have data control procedures in place that are at least as stringent as their own to protect sensitive and confidential information.
Dependency on third parties
Regardless of what your company does to create revenue, it is highly likely that you pay other companies to help with part of it. It is often beneficial to outsource non-core activities including activities such as IT support, catering, legal services, product design, or manufacturing.
To maximize the returns of an outsourcing agreement, companies need to treat the third-party companies as an extension of their own workforce. This means that they must share all relevant data and information necessary, so they stand a chance of being able to deliver the services in exactly the same way as if they were being delivered in-house.
Necessity to share data
For some outsourcing agreements the information that needs to be shared may be relatively trivial. For example, an outside catering company will need to know the number of employees that will be expected to eat lunch and how many of those are vegetarians. This type of information is not usually regarded as sensitive and is unlikely to seriously impact the company if it gets into the wrong hands.
However, this is not the case for the types of information that a company would need to share with third-party outsourcing companies such as an external design firm, a lawyer, or a telemarketing agency. In these cases, the data that needs to be shared is significantly more sensitive to the company’s operations. If it fell into the wrong hands, it could have a negative affect the company. If a company’s product designs, manufacturing methods, non-disclosure agreements, contracts, or customer contact information are exposed, then it could face issues with copy-cat products appearing on the market, loss of reputation, or even legal challenges due to non-compliance with regulations such as GDPR.
If the company controls this information itself and does not need to share it with third-parties then it can, and should, put controls in place to prevent unauthorized access and distribution of the data. However, when sharing data externally, the company could lose control over how carefully access and distribution of the information is managed.
Real world case
In a recent case involving multiple large car manufacturers, 47,000 documents were reported to have been exposed by a small third-party working with many of the large automotive brands. These documents are reported to have included product blueprints, invoices, customer contracts, work plans, and non-disclosure agreements as well as personal data such as driving license and passport information belonging to the employees of the third-party.
In this case, the data was discovered by the security firm UpGuard so does not look like it has fallen into the wrong hands. However, if it had been discovered by someone who was less trustworthy, it could have had significant implications for many of the large car manufacturers for years to come.
So what?
While you may not work for one of the car manufacturers involved, you almost certainly work for an organization that outsources some tasks to third-parties for part of its operations. How confident are you that all the information involving intellectual property, legal contracts, customer contracts, and all other sensitive data that is required to run your company is secure and is only accessible by those who need it?
You should be asking the following questions of your organization:
- Which data is critical to business operations?
- What would happen to the business if this sensitive data fell into the wrong hands?
- Where is this data stored? You should consider business applicants such as CRM and ERP, SharePoint, and other collaboration solutions, local file shares, and cloud-based collaboration sites.
- Have you secured the backups of this sensitive business data?
- Can you be sure that third-parties who have access to your sensitive data are protecting it as well as you do?
By asking and addressing these questions of your organization, you will go a long way to ensuring that the information that your company relies on is both secure and compliant. As a result, you are more likely to maintain your reputation, avoid costly non-compliance fines, and stay in business in the long-term.
On the other hand, if you are a small supplier providing services to a larger company that shares sensitive data with you, you need to consider whether you have implemented adequate security and compliance measures that are comparable with if not superior to their policies. The use of third-parties as “gateways” into larger companies is growing significantly as attackers know that they are more likely to be able to penetrate the security of smaller organizations in order to get the bigger “prize” from the larger company. If in doubt you should ask the larger organization for help and advice as they are more likely to have dedicated security specialists responsible for ensuring data compliance and security and they will be well placed to help you.
What next?
You need to ensure you know where all sensitive data is stored and who has access to it. This not only includes existing employees and current third-parties but also ex-employees and business partners you no longer deal with. It is possible that their access has not been revoked meaning they still have access to your systems. To make this process easier and more efficient, and to effectively govern company sensitive data going forward, you should consider deploying an identity and access governance solution. This will help you minimize the risk of security and compliance breaches while still allowing you to effectively share data with third-parties so they can perform the tasks required.
