When 24x7 Security is Not Enough

Neighbors, babysitters, handymen, even family members; your backyard, upstairs deck, even your own front door…

Statistics show the vast majority of burglaries and theft, especially identity theft, are perpetrated by a household acquaintance or family member. The US Department of Justice says that “Offenders were known to their victims in 65% of violent burglaries; offenders were strangers in 28%.” Similarly, any Google search yields countless articles listing front doors, backyards, and ground floor windows as the most common points of entry for burglars. 

Now we’re not trying to be fearmongers, but theft is a crime of opportunity, and accordingly perpetrators exploit trust and unguarded access points to gain entry.  

This is no different in the enterprise world, where the speed of technological advances and business growth forces many organizations to outsource an increasing array of services. In many cases, third-parties can provide better services, uptime, and customer experience. This allows for businesses to be nimble and to keep pace in an increasingly competitive marketplace. The use of cloud-based infrastructure, platform, and software as a service is an example of the type of outsourcing in today’s enterprise economy that is required to keep organizations competitive.

That said, it’s critically important to have a clear understanding of how your business partners may impact your security posture. The Target breach in 2013 opened the world’s eyes to the risk of outsourcing. Many companies have implemented, or are in the process of implementing, third-party risk management programs to gain a clearer understanding of not only how their business relationships (from a data perspective) work, but also the inherent risk associated with these relationships.

Where contact centers and CX/digital practices are concerned, the recent [24]7 breach that impacted Delta, Sears, KMART, and Best Buy (and perhaps more) helps bring this to light and also helps us understand that this is a complicated undertaking. In this case, the retailers who were using [24]7 as an online chat service provider most likely exercised proper due diligence on their provider. [24]7 was, after all, able to demonstrate PCI compliance (as they are listed as a PCI-compliant Service Provider on Visa’s website). This shows that breaches can happen even when services are architected to meet common security standards. What more can we do?

What is a third-party breach?

A third-party breach is when your partner’s network or systems are attacked (which in turn may also open an attack vector into your own network/systems). Attackers commonly take advantage of the trust imparted upon third-parties since they often have some means of logical network or system access yet may not apply due diligence in protecting access mechanisms. The attackers often gain a foothold with the limited access they are authorized to have, then tunnel their way into more critical systems through various attack methods.

Where to start – understand their risk profile

Before entrusting any part of your business to a third-party, consider the capacity in which they will be providing services because each of your partners will have a unique risk profile. A huge prerequisite is to gain a clear understanding of the data that the partner will have access to or impact through meticulous mapping of data flows, business processes, and system architectures. 

Factors to consider:   

• Is the data highly sensitive? 
• How often is it accessed or handled? 
• How is the data handled?
• Does the partner retain any of the data?
• Can sensitive data be scrubbed before sharing with the partner?
• How much data is accessed or handled?
• Is this data critical to your operations?
• If something were to happen to this partner, how would your business be impacted?
• Does the partner need access to your applications/systems/networks?

Next – practice proper due diligence

Once you know the nature of how you share data with the third-party, and what data you share with them, you need to vet the risk associated with the relationship. Of critical importance is to gain a clear understanding of responsibilities (yours, the service providers, or joint between the two of you) so nothing is left to interpretation. Many of the more mature service providers have well documented responsibility matrices. Some potential questions to consider:

• What assessments/certifications have they had conducted (i.e. IS27001, SOC2, PCI, etc.)?
• What were the results of their pen test?
• What were the results of their vulnerability scans?
• How do they practice risk management?
• Do they have a security policy?
• Do they have supporting procedures?
• Do they have secure build standards?
• Do they have effective access controls?
• Do they have effective authentication controls?
• Do they have centralized logging?
• Do they have effective physical security?
• Do they have outdated technologies?
• Do they have an effective vulnerability management process?
• Do you have a warm fuzzy that they are adequately monitoring their infrastructure?
• What is their breach notification process?

Rinse, lather, repeat

Nothing in this world is static, including our ever-morphing relationships with partners and service providers. In addition to performing periodic partner risk assessment reviews (I’d recommend annually, but that mileage may vary as a hugely sensitive partner may require more frequent reviews), you should maintain tight relationships with the business and legal teams (since after all, contracts usually flow through legal) so that you can be kept in the loop when business with the third-party changes (therefore potentially impacting the risk).

Online's Third-party Risk Management Service

Online’s Third-party Risk Management service not only uses certified security experts, but also leverages our in-house legal counsel to ensure both you and your service providers are compliant with necessary regulations and contractual security and privacy requirements. In addition, we use our considerable experience in Cloud services to ensure no matter where your information is being held, it is protected from potential threats. You can learn more about our Third-party Risk Management service by clicking here.

As a Genesys AppFoundry and services partner with decades of experience across the Genesys platform, we combine our contact center knowledge with our Security Consulting expertise to help ensure that both your organization’s information, and your customer information, are secure and protected from threats and vulnerabilities unique to your contact center environment– both now and in the future. Online offers packaged Risk Assessment and Penetration Testing engagements through the Genesys AppFoundry.

You can also learn more about our Genesys delivery team by clicking here.

To learn more about Online’s Risk, Security and Privacy practice, click here.