Zendesk, a company that offers online tech support to more than 25,000 clients, announced a security breach on Feb. 21. Hackers accessed support records for three of its customers: Twitter, Pinterest and Tumblr, according to .

The hackers downloaded email addresses and other contact information of users who emailed Twitter, Pinterest and Tumblr for tech support. All three sites have alerted affected users and recommend they stay alert to spear-phishing and other fraudulent emails.

The attack, the most recent in a long week of high-profile hacks, demonstrates the inherent data security risks when dealing with third-party vendors. Whether a consultant or business partner, accountant or law firm, if a third-party firm doesn’t have adequate data security policies, your business is vulnerable by association.

In a 2012 survey of data recovery vendors, the that 87 percent of respondents suffered a data breach in 2010 or 2011—and a whopping 21 percent happened at the hands of a third-party vendor. While 83 percent said business partners should ensure safe data-handling practices, only 9 percent actually reported doing so. In an earlier 2010 report, Ponemon found that 39 percent of all data breaches happened on a third-party vendor’s watch. However you slice it, trusting your sensitive data to another business is risky at best and downright dangerous at worst.

It isn’t always a lack of security on the vendor side that’s so dangerous. It’s the potential for a murky chain of command. Often there is a lack of understanding of who is responsible for particular security components. Thinking that another party “has it covered” is a recipe for disaster.

The surest safeguards against miscommunication are periodic reviews and a strong and detailed contract. The contract should address insurance coverage and data security procedures with specifics. The best way to start is by generating a list of all vendors that have access to your sensitive, protected or confidential business’s data. In existing contracts, if security measures aren’t discussed, it’s time for a renegotiation. For new vendors, expectations should be outlined in the earliest discussions.

Contractual specifics to consider include:

•    Language that requires notification within 24 hours if your data is lost or compromised;
•    The right to audit the third-party’s security policies and operations to ensure best practices;
•    Clear insurance responsibilities covering data recovery and state and federal law compliance costs, should something go wrong.

The information assets of your business are only as safe as your weakest vendor’s security protocol. Make your relationship stronger with good contracts, communication and periodic reviews.

Deena Coffman is chief operating officer of IDT911 Consulting.

Leave a Reply