Is your off-site data secure? If you have to undergo a Sox's, PCI or HIPPA audit, does the audit include your vendors that supply data storage, SaaS or cloud services? Most medical providers, banking industry and publicly- traded companies are bound by one or more of those acronyms listed above. However, your service provider may not be bound by these same regulations. They may try hide behind the statement of intellectual property, copyright or patent pending as reasons to not maintain the same security compliance you have to. Smokescreens like these can put you and your customers at risk.
Let’s say a small, privately-owned company comes up with a way to compress and store data—it can restore data 4-times faster than any competitors can. A decision is made to sell the product as a service instead of packaging it as software. This is because the application is still immature and it is easier to fix any problems then support it. Every piece of data stored on the system is well encrypted... All that is left is the means of transport for the data and the creation of the user interface.
Just remember that your security is only as strong as your weakest link. In this case, the company had an unencrypted password and login that existed for years before it was fixed. This was an issue that only a handful of people knew, and it was going to be fixed. But at the moment it was a lower priority then the data. Would you trust a company that knew of a major glitch but didn’t fix it simply because it wasn’t a “high enough priority at the moment”?
Do you put your security in their hands?
Some of the biggest banks and hospitals need services like the one mentioned above to store the ever-growing document and images libraries now required to stay in business. I've worked in publicly-traded organizations, banks and in the medical industry. I have gone through audits several times, and not once have I seen service providers face anything but a glance.
This example isn’t a true story and I hope the attitude about security isn’t found now. But this fictional scenario should encourage you to make sure your third-party vendors scan and test for security volubility. Make it a requirement that they supply your company with periodical detailed reports of software or keep them on file for third-party review.
Does your company hold their service provider to the same security standard that they hold internal IT groups? I would like to hear your story and hints. Or have you experienced any security loopholes like the fictional one described?