editione1.0.0
Updated October 9, 2023To manage your security risk while getting help from others, let’s rephrase the above two considerations into principles you should follow:
What is the minimum amount of data, information, or access they need to still do their job?
How can I control how they access that data, information, or access (so I know it is going to be secure)? Or how can I confirm how they will be securing it (so I can keep them accountable)?
The first principle is all about limiting the impact of the risk of something going wrong. If your accountant doesn’t provide you invoicing services, then they shouldn’t have access within your accounting software tool to manage invoice settings. This just opens up and increases the risk of their access being used to cause big damage to you. This isn’t about being secretive or cagey, it is about taking the security of your business seriously and limiting the chances of something going wrong if access or data does not need to be shared. Think of it as the same as when you hire someone to come to your office to clean, or hire someone to watch your pets while you are away from your home. You might give them the keys so they can come in and do their job, but you would leave important things—such as important documents, money, and valuables—locked away in a drawer or safe.
The second principle is about setting or sharing what is needed safely. You might be in control of this. For example, you might subscribe to an online accounting tool, and invite your accountant to join so they can see your account. In this case, you want to set things up as best you can to make it safe from the start. This includes:
limiting what the third party can do, and making sure the access rights they have are as limited as possible
setting or enforcing specific security for people you invite.
For example, some tools might allow you to force all users you invite to use 2FA. Or you can configure the tool to email you when settings or configurations have been changed, so you at least know what that third party is up to and if they are changing things that are outside the realm of what they should be doing.
However, you might not always be in control, perhaps because you are paying that third party to provide a managed service. Very similar to how we vetted our website service provider earlier, there will be more steps to take to vet these types of outsiders, covered in the next section. You will likely need to then share data and information with them, and you should do this in a secure way to set the standard for how they can expect to communicate or share things with you. This includes:
Understanding the type of documents, data, and information they will need access to. This will have a big impact on what you will need to set up when it comes to safe ways for sharing documents or communicating with each other.
If the managed service provider helps you with preparing marketing content and materials for your business, you probably can stick with just sharing documents via email (if size limits are not an issue) because the data in those documents are not risky.
If the managed service provider is helping you manage your website, domain, and email provider, you care more about having a secure way to communicate so you can stay in the loop about what is going on, and any changes that might need your approval.
If the service provider is doing your annual accounts, payroll, and bookkeeping, you care about having both a safe way to share sensitive documents (like payroll details) and a safe way to communicate about ad hoc topics, like clarity on reconciliations or approval on new invoices coming through for payment.
Agreeing and setting up a safe channel for sharing sensitive documents. The key part of safe here is making sure it uses a channel that requires both sides to be “logged in,” requires documents to be shared specifically between you and the third party, and uses encryption. Encryption is like opening a can of worms, and in most cases you’ll be using document-sharing tools in your browser, such as Dropbox, Microsoft OneDrive, or Google Drive. For browser-based tools, you’ll want to check that it uses HTTPS.
Some good options here are using a document or file sharing tool and sharing just a specific folder with an outsider’s specific email. Avoid using “publicly accessible” links, and stick to listing the users by email instead. You can also use shared channels on communication tools like Slack if your team is already using something similar internally.
To focus on the word sensitive, sometimes a document might not have any personal or sensitive business information in it, and you can share it by email. This is OK, but if you are sharing more sensitive documents, you want to do the work early and set up a safer channel.
Agreeing on the best way to share ad-hoc data or information, and verify requests. Aside from sharing documents, you’ll want to agree on a standard way of communicating. For most things, email is perfectly fine. If you have regular communication where the third party is asking for approvals, or for you to make changes, you should make sure there is always a step to verify a request.
Relying on just one channel of digital communication can be risky. People can lose access to email, and this is entirely outside your realm of control. Having a simple second step, like a text message or phone call, to double-check when these requests are coming through is all you need to verify a request.
Following these steps, you’ll have a solid baseline and foundation to work on when it comes to securing the way you work with others. The next few sections of this chapter will narrow down into specific use cases and contexts.
So you can set the groundwork for how you share documents and communicate with others. This is the part of the business relationship where you can control things. There is also the other side that you have to consider—the ways the third party operates in general, and whether or not you can trust them with your business. You can’t control how a business operates, but you can go through the steps to vet or check how they run things and see if it is good enough for you.
The good enough bar you set is the same bar you would set for yourself if you were to be doing that service or job. It can be hard to vet this information; the service might be from a large global provider who doesn’t care about “earning your trust” because they have plenty of people coming to them for business and it is not worth their time to go through an exercise like this. It can also be hard because you are essentially asking them to tell you where they do “good security,” which inversely tells you where they are not doing good security. You are kind of asking them where their holes are, which would be very helpful information to an attacker.
Vetting a third party is like a dance: it might not be very fluid from the start, you might step on some toes, they might step on yours. You might even find a different dance partner if you can’t quite dance in the same rhythm. This happens, and is a great way to vet out anyone who might not take security seriously. If toes are stepped on, it is important to bring the conversation back to “We care about security, and we need anyone we work with to care too.” It might be you asked them a question that they can’t answer directly, but they can give you some other detail to allow you to build that trust that they too care about security.