Neighbors, babysitters, handymen, even family members; your backyard, upstairs deck, even your own front door…
Statistics show the vast majority of burglaries and theft, especially identity theft, are
Now we’re not trying to be fearmongers, but theft is a crime of opportunity, and accordingly perpetrators exploit trust and unguarded access points to gain entry.
This is no different in the enterprise world, where the speed of technological advances and business growth forces many organizations to outsource an increasing array of services. In many cases, third-parties can provide better services, uptime, and customer experience. This allows for businesses to be nimble and to keep pace in an increasingly competitive marketplace. The use of cloud-based infrastructure, platform, and software as a service is an example of the type of outsourcing in today’s enterprise economy that is required to keep organizations competitive.
That said, it’s critically important to have a clear understanding of how your business partners may impact your security posture. The Target breach in 2013 opened the world’s eyes to the risk of outsourcing. Many companies have implemented, or are in the process of implementing, third-party risk management programs to gain a clearer understanding of not only how their business relationships (from a data perspective) work, but also the inherent risk associated with these relationships.
Where contact centers and CX/digital practices are concerned, the recent [24]7 breach that impacted Delta, Sears, KMART, and Best Buy (and perhaps more) helps bring this to light and also helps us understand that this is a complicated undertaking. In this case, the retailers who were using [24]7 as an online chat service provider most likely exercised proper due diligence on their provider. [24]7 was, after all, able to demonstrate PCI compliance (as they are listed as a PCI-compliant Service Provider on Visa’s website). This shows that breaches can happen even when services are architected to meet common security standards. What more can we do?
A third-party breach is when your partner’s network or systems are attacked (which in turn may also open an attack vector into your own network/systems). Attackers commonly take advantage of the trust imparted upon third-parties since they often have some means of logical network or system access yet may not apply due diligence in protecting access mechanisms. The attackers often gain a foothold with the limited access they are authorized to have, then tunnel their way into more critical systems through various attack methods.
Before entrusting any part of your business to a third-party, consider the capacity in which they will be providing services because each of your partners will have a unique risk profile. A huge prerequisite is to gain a clear understanding of the data that the partner will have access to or impact through meticulous mapping of data flows, business processes, and system architectures.
Factors to consider:
Once you know the nature of how you share data with the third-party, and what data you share with them, you need to vet the risk associated with the relationship. Of critical importance is to gain a clear understanding of responsibilities (yours, the service providers, or joint between the two of you) so nothing is left to interpretation. Many of the more mature service providers have well documented responsibility matrices. Some potential questions to consider:
Nothing in this world is static, including our ever-morphing relationships with partners and service providers. In addition to performing periodic partner risk assessment reviews (I’d recommend annually, but that mileage may vary as a hugely sensitive partner may require more frequent reviews), you should maintain tight relationships with the business and legal teams (since after all, contracts usually flow through legal) so that you can be kept in the loop when business with the third-party changes (therefore potentially impacting the risk).
Online’s Third-party Risk Management service not only uses certified security experts, but also leverages our in-house legal counsel to ensure both you and your service providers are compliant with necessary regulations and contractual security and privacy requirements. In addition, we use our considerable experience in Cloud services to ensure no matter where your information is being held, it is protected from potential threats. You can learn more about our Third-party Risk Management service by clicking here.
As a Genesys AppFoundry and services partner with decades of experience across the Genesys platform, we combine our contact center knowledge with our Security Consulting expertise to help ensure that both your organization’s information, and your customer information, are secure and protected from threats and vulnerabilities unique to your contact center environment– both now and in the future. Online offers packaged Risk Assessment and Penetration Testing engagements through the Genesys AppFoundry.
You can also learn more about our Genesys delivery team by clicking here.
To learn more about Online’s Risk, Security and Privacy practice, click here.