In the modern business environment, it is increasingly tempting for organisations to outsource some services to a 3rd party company.
Why is this?
- Reduce the risks
- Reduce the costs
- Reduce the resource burden
- Reduce compliance
- Increase efficiency
- Increase productivity
- Lack of skills, knowledge or experience
However, a significant number of data breaches originate through the use of outsourced services.
Are businesses fully aware of the associated risks they might be taking through outsourcing to a particular supplier or service?
- When choosing a supplier, are you questioning whether the supplier is truly capable of delivering that service or are they in fact selling you a dream?
- Buyer beware
- Does the supplier offer an initial deal, which diminishes over subsequent years?
- How well do you manage your supplier relationships?
- Do you make lots of assumptions and just TRUST that the supplier is doing right by you?
If you are not, consider whether you would take the same approach, when crossing the road without the ability to see, hear, or speak?
You have many options here:
- Getting someone to walk you across the road
- Having someone carry you across the road
- Via the use of a ‘lollypop man/woman’
- Via a zebra or pelican crossing
- Using traffic lights
- Use a nearby bridge
- Build a bypass (reduce the traffic flow)
- Find an alternative route
However, in the real world would you just step out into the road without any considerations or assurances, for example:
- What is the volume of traffic (Threat)?
- How many vehicles are there (Likelihood)?
- How fast are the vehicles travelling (Impact)?
- How wide is the road (Vulnerability)?
- What are the weather conditions (Vulnerability)?
When considering the outsourcing i.e crossing the road, what questions would you be asking to that 3rd party providing a service to protect you from the hazards and burden of having to cross that road?
- If you are relying on multiple 3rd parties (zebra crossing, traffic lights, lollypop man/lady), have you identified, evaluated and are you effectively managing these 3rd parties
- Is the 3rd party capable of delivering a service in which you would entrust your life?
- If they are delivering the same service to others, do they have the capacity?
- Would you entrust your life to a verbal contract or would you want something in writing?
- Have you checked that they are capable of delivering on their promises?
- What assurances have you attained from the 3rd party, confirming that they can deliver these services whilst meeting your minimum expectations?
- Have you received written confirmation from the 3rd party that the services they are delivering match what you understand they are delivering?
Outsourcing of services (Cloud, Call Centres, Data Centres, Logistics, Security, Software Development, etc.) has become a significant cog in the wheel of business. Consequently, despite cost being an important consideration, when deciding upon outsourcing to company A, B or C, we need to be make thorough evaluations against each company’s capability to deliver that service, against the costs offered.
Hence, every information security and governance standard have requirements for effective 3rd party management, for example:
- PCI DSS v3.1 - 12.8 – 3rd Party Management
- ISO/IEC 27001:2013 – A.15 Supplier Relationships
- COBIT 5 – APO10 – Manage Suppliers
- CIS 20 Critical Security Controls (CSCs), v6.0 – Throughout
- NERC CIP, v6.0 - Throughout
To contact Nettitude’s editor, please email firstname.lastname@example.org.