editione1.0.0
Updated October 9, 2023So you can set the groundwork for how you share documents and communicate with others. This is the part of the business relationship where you can control things. There is also the other side that you have to consider—the ways the third party operates in general, and whether or not you can trust them with your business. You can’t control how a business operates, but you can go through the steps to vet or check how they run things and see if it is good enough for you.
The good enough bar you set is the same bar you would set for yourself if you were to be doing that service or job. It can be hard to vet this information; the service might be from a large global provider who doesn’t care about “earning your trust” because they have plenty of people coming to them for business and it is not worth their time to go through an exercise like this. It can also be hard because you are essentially asking them to tell you where they do “good security,” which inversely tells you where they are not doing good security. You are kind of asking them where their holes are, which would be very helpful information to an attacker.
Vetting a third party is like a dance: it might not be very fluid from the start, you might step on some toes, they might step on yours. You might even find a different dance partner if you can’t quite dance in the same rhythm. This happens, and is a great way to vet out anyone who might not take security seriously. If toes are stepped on, it is important to bring the conversation back to “We care about security, and we need anyone we work with to care too.” It might be you asked them a question that they can’t answer directly, but they can give you some other detail to allow you to build that trust that they too care about security.
To help guide you through this tricky dance, here are a few starting questions that most third parties should be able to answer:
Do you and your team go through any security training? What is the security culture like within your organization?
Would you notify me or my business if there was a possibility, or if it was confirmed, that our data was lost? How quickly would you notify us, and how would you notify us? Do you have key incident or resiliency principles you aim for when it comes to security or privacy breach responses?
Where do you store our business’s data? Are you able to and do you protect access to our data using granular and limited access controls, 2FA, and strong and up-to-date encryption practices?
To give you an idea of what good and not so good answers to these questions look like, take a look at these examples using likely answers from a smaller, local service provider.
Question: Do you and your team go through any security training? What is your security culture like within your organization?
Not great answer: “No training is provided to the team,” or the third party is unable to provide examples of positive team culture.
Better answer: “We don’t provide formal security training because we are a small team; however our business leadership team leads by example on security. We provide the team with password managers for storing passwords, and the team is encouraged to ask for help from anyone on the leadership team if they think there is a security problem. We have a channel in our team’s communication tool where people can ask for help on any security matters, and the team actively uses it.”
Question: Would you notify me or my business if there was a possibility, or if it was confirmed that our data was lost? How quickly would you notify us, and how would you notify us? Do you have key incident or resiliency principles you aim for when it comes to security or privacy breach response?
Not great answer: “By agreeing to our terms, you agree that we may not notify you of breaches. You may refer to our press releases for any news about the service, and contact us if you have any concerns.”
Better answer: “We aim to notify you as soon as we can (via email) of any breaches that may have involved your data. While we can’t provide details of our incident response process, we can confirm our key goal in an incident is to reduce the spread and impact of an incident. We will engage with other third parties, such as CERT or police, to get help as needed.”
Question: Where do you store our business’ data? Are you able to and do you protect access to our data using: granular and limited access controls, 2FA, strong and up-to-date encryption practices?
Not great answer: No comment, or generic lines that state “data is encrypted” without specifying what data that refers to.
Better answer: “We can’t provide evidence or details, however we can confirm that your data is stored within our platform, where we use multiple security controls to protect our customer’s data. This includes: requiring multi-factor authentication to gain access, principle of least privilege for access within the platform, and strong and current encryption protocols and practices. Any copies of data outside the platform are secured using similar controls.”
Invoice scams are a common type of attack recently because of the low-effort and high-value reward from an attacker’s point of view. We explained how these attacks work in Disable Automatic Forwarding. As you know now, security is all about multiple steps you can take to protect yourself, rather than “this one weird trick that fools all hackers.” Those don’t exist.
Taking the technology outside the equation, one step you can add to an already existing payment process is to verify any new or change requests. This means:
When a new contact that needs to be paid is onboarded, you call them or chat to them in person to confirm where payments are made.