Knowing what to expect is a great way to avoid trouble. We drive our cars safely because we have learned what the dangers are. We check side view mirrors before changing lanes. We use mirrors and turn around to back up safely. We slow our rate of speed when conditions get slick. At least we should do all these things and we are safer when we do. Nevertheless, accidents still happen, especially when the other driver is being reckless. Indeed, sometimes no matter how careful we are, we can still become accident victims.
The same conditions exist in cyberspace. By now every person and every organization that uses a computer should have some sense of where the dangers are. Undesired email advertising can be annoying, like driving behind someone who is going too slowly. But malicious spam is more like someone driving in your blind spot. Unless you are aware of the risk and careful enough to lean forward and improve your range of vision to the side, you may not sense the danger lurking right next to you. You must be able to anticipate the dangers to minimize the risk.
So you keep your car in good mechanical condition and drive defensively. But danger can still arise from other drivers who are speeding, driving erratically, distracted or under the influence of some substance that inhibits their control of their vehicle. You can look out for them but you cannot control them. In fact, you have no control over the fact you are required to share the road with them. They are a risk you can be on the alert for but cannot prevent.
In the data processing world, we call these other drivers our third party vendors. Every one of them creates risk as we share the digital highway with them. When a vendor supplies services we need to process our data and service our clients, they might just be the equivalent of a driver who appears to be okay and unexpectedly becomes a risk. So to be safe we must anticipate predictable risk.
- Are your third party vendors systems’ secure? Is your data safe in their network? If you cannot answer these questions in the affirmative, audit your vendors’ networks. That right to audit, plus an obligation to cooperate in any breach investigation should be part of your contract.
- Do they have access to your parts of your system that they do not need? If so, you must improve the segmentation of your system. Environmental maintenance does not require access to your Point of Sale systems. The vendor who processes insurance claims for a medical office does not need access to payroll.
- Is data encrypted in transit and storage? When your data leaves your control, it is still your data and still your responsibility. Mandate encryption and other appropriate security measures by contract, and enforce those terms by your right to audit.
When we drive we cannot be certain that the other drivers have cars that are in good condition, but in this respect the cyber world has an advantage. We can ensure the right to test to security of a vendor’s system. We can address liability for a breach as a term of contract. We can require a vendor have cyber risk insurance, just like other drivers should (but of course our policy must have a provision covering us if they do not, just like for your car).
Before you get a license, you get trained on how to drive. Periodically, you should refresh your defensive driving skills with an approved course. It saves on your insurance and may save your life.