editione1.0.0
Updated October 9, 2023There are two things you need to consider each time you engage or work with someone outside the business:
What are they doing for me or the business—what kind of data, information, or access do they need?
How are they going to protect that data, information, or access?
Ultimately, you provide a service or product, and people (inherently or explicitly) trust you to do it well and safely. When you are engaging or using a third party for your business, you are sharing some of the work and risk with them. You need to make sure they handle and manage that risk, or take the same or similar steps towards security as you do. You can always delegate or hire others to do work, but the buck stops with you when it comes to risk ownership.
We used to have an old way of thinking, that if you hired a third party to do something for you, the risk or issue is on them if something goes wrong. This isn’t the case anymore, because we have seen enough security incidents in the news to know that when things go wrong, it is the data custodians and owners who lose out.
For example, if you hired an accountant to do all your business bookkeeping and invoicing, and they lost access to their accounting software account, there is a lot of damage someone could do with that access. One of the more dangerous and subtle things they could do is change the invoice details to show a new bank account for payments to be paid into. This incident could take weeks to notice, and when you find out you might take your anger and frustrations out on the accountant. At the end of the day though, you will have to work extra hard to try and keep your business afloat and recover those lost payments—all while trying to run the business. Even in a high-litigation culture like in the US, these incidents are still forming legal precedent and there are no guarantees on who wins or loses in these situations. Time is better spent doing due diligence early to lower the risk of these types of events happening in the first place. We now know the best and easiest way to stop these common attacks would be making sure the accountant sets up 2FA when accessing your business’s accounting software.
We learn a lot in hindsight with common incidents like these. These incidents teach us the importance of earning trust, assigning trust and access on a “need-to-know” basis, and setting up our tools and processes to catch when trust is broken. Let’s go through a few things you can do to action these lessons.
To manage your security risk while getting help from others, let’s rephrase the above two considerations into principles you should follow:
What is the minimum amount of data, information, or access they need to still do their job?
How can I control how they access that data, information, or access (so I know it is going to be secure)? Or how can I confirm how they will be securing it (so I can keep them accountable)?