April 2, 2021
It’s Not Me, It’s You: Third-Party Cybersecurity Vulnerabilities
by Josh Stevens, Esq., Mac Murray & Shuster LLP
You have hired the best IT team you can find. You invested in firewalls, anti-virus software, penetration testing and world-class intrusion detection systems. You train your staff monthly on security vulnerabilities, avoiding phishing scams and the importance of protecting their home office.
Yet, with all these precautions and more, you overlooked one key gap: the vulnerability of third-party tools integrated into your systems and the systems of these third parties themselves.
As the recent Microsoft Exchange and SolarWinds data breach incidents have shown, one of the greatest threats to enterprise cybersecurity is coming from outside the house. Businesses often implicitly trust their third-party data processors and suppliers of software and hardware to be aware of and protect against security vulnerabilities.
For the most part, these processors and suppliers have every market incentive to protect data – a breach tied to their services can be ruinous. By the same token, a third-party vulnerability that exposes your company’s data can harm consumers, reveal trade secrets, expose the business to regulatory penalties and lawsuits, and, importantly, tarnish the brand you have worked so hard to cultivate.
What can you do to help protect your business?
Do your homework
Before engaging any third-party data processor or integrating software or hardware from a third-party supplier, conduct due diligence on the security of the product and the policies and procedures the vendor has in place to protect its systems, identify and remediate security vulnerabilities, and respond to security breaches.
Seek experienced counsel in negotiating
Work with counsel to negotiate strong data security standards, data use limitations, security incident reporting, breach coordination, and indemnification and defense provisions into your contract.
Incorporate into your own processes
Update internal risk assessments and security strategies to account for the third party’s contributions and monitor continuously.
No business can ever eliminate all security vulnerabilities, but by taking these important steps your business will be well positioned to reduce the risk of using third-party processors and suppliers.