Where does your data go at night?

Room illuminated by a computer screen at night, no people. Empty workplace lit by a laptop display in the darkness, late work, overtime concept

You go through great lengths – firewalls, intrusion prevention systems, PCI audit, SSAE16 audit – to keep your sensitive data protected. But what happens every night when your information leaves the data center? Are your vendors following the same rigorous measures to keep your data secure?

Many companies today gather massive amounts of customer data on a daily basis to conduct their business. Financial institutions and healthcare companies are just two examples.  Frequently, the scope of transactions is so voluminous that it makes business sense to outsource certain tasks, such as data entry, data processing, customer service and/or marketing analytics.  However, in order for a third party vendor to fulfill its role, they often need access to proprietary data, personally identifiable information or other regulated data in real time, or on a nightly basis.

Outsourcing safely: How to keep your data safe at night

To prevent compromised data, vendor selection must be carefully managed. While a company’s primary data handlers have developed expertise in managing sensitive data through internal and external audits, outsourced vendors may not consistently follow the same stringent data security standards.

Also, vendor selection is frequently administered by senior executives that interface with sales reps, and certain details may be overlooked.  Oftentimes, the security and compliance teams are called in after the deal has been informally solidified, which often creates pressure to sign off on a potentially under-qualified vendor. Therefore, it’s imperative that executives be educated on the importance and necessity of these practices. Consider the liability should an external vendor mishandle, leak or lose your data.

Here are some general vendor selection guidelines to help limit financial and regulatory liability:

  • Evaluate vendors that are heavily vested in your industry. Their awareness of industry regulation is generally proportional to their exposure in that industry.
  • Do extensive reference checks with other customers.
  • Ask for copies of any independent audits.
    • If the report was issued more than three quarters ago, ask about audit prep for the next report and examine documents for changes.
    • Review all security infrastructure and procedures thoroughly, including:
      • network firewalls
      • disaster recovery plans
      • failover
      • personnel hiring practices
      • data handling
      • red flag policies

In addition, when reviewing audit reports, keep an eye out for significant staff changes in the compliance, IT or information security departments. This may signal a change in effectiveness in those areas.

Buyer beware

Vendors have the option to define their audit scope. So while industry certifications provide an accurate snapshot of a company’s regulatory and security posture, an audit may only address a specific product, department or set of processes. Carefully review audit reports and have an expert review sections outside of your expertise.  In addition, discuss any findings with the vendor’s compliance manager and ask for the remediation path for those findings.

An alternative approach

When a company does not have the time or personnel to conduct comprehensive due diligence on a potential vendor, the next option is to outsource the verification to an experienced auditor.  An independent audit firm can be objective and identify possible risks that need to be mitigated prior to providing access to your confidential or regulated data. Such firms have expertise vetting organizations for regulatory compliance, business continuity and data integrity.  This approach is similar to hiring a recruiting firm to conduct a specialized skills search or executive search, so valuable time isn’t wasted scouring through qualifications and initial interviews.

Some companies, however, are leery of outsourcing vendor selection because of concerns that an outsider will lack the understanding of their unique business complexities.  Additionally, it’s easy for company decision-makers to buy into a vendor sales pitch without considering the potential risks.

Bringing it All Together

When selecting a vendor that will handle your sensitive data, be thorough in your due diligence and selection process. Also, educate your executives on the importance and necessity of these safety practices so they will support the vetting process. If your organization doesn’t have the bandwidth to properly evaluate prospective data vendors, consider hiring an independent third-party firm to do the legwork.

Bridgepoint Consulting provides advisory services to help companies solve complex challenges and supports a broad range of organizational transformation services. Our Technology Consulting services include Cloud Migration,  CybersecurityEnterprise Solutions (NetSuite and Salesforce), IT Risk & Compliance and Systems Integration. Learn more about some of our clients here.