One of the things that caught my eye in PWC’s most recent The Global State of Information Security® Survey 2014 report was the bits and pieces of information shared about the importance of evaluating the security of third parties.
As data proliferates and is shared among more partners, suppliers, contractors, and customers, it is increasingly critical that businesses understand the risks associated with sharing data with third parties. What’s more, organizations should ensure that third parties meet or beat their requirements for data security.
This is a refrain I have been using for years, even having presented about it at the 2009 Drug Information Association Annual Meeting in San Diego, as well as the 2010 Pharma Outsourcing Congress in Munich.
Unfortunately, the results from PWC’s survey and an earlier survey on cyber crime indicate that 57% of organizations surveyed either don’t assess third parties at all, or do it less frequently than once a year.
How successful would a software company be these days if they only released a new piece of software once every two or three years? Likewise, how successful would a cyber criminal be if they only created a new attack once every two or three years? Since we know both software and attacks are changing rapidly, doesn’t it make a lot of sense to assess more frequently?
The points I made four years ago still ring true today. developing comprehensive policies, performing assessments and audits, and establishing partner frameworks are key to ensuring third parties are not the cause of attack or non-compliance.
Your third party providers are key to the security of your information. Do not let ignorance of their practices become your undoing.