Many businesses have realized the risks involved with the loss of electronic data. Companies that have credit card or other personal data have been forced to manage security because of government regulations about the privacy of data. But while good security managers are watching their network and their staff, all too often nobody is minding the security policies of a company’s partners.
Today very few companies, small, medium or large, have the resources or interest in managing every aspect of their business – we bring in experts: Consultants, lawyers, call centers, companies providing software-as-a-service (SaaS) services and a myriad of other businesses. Lot of business and information takes place outside our security firewall and it’s a grey area as to whom, if anybody, should be watching out for this risk.
Just consider these scenarios:
- When you hired an auditor, who reviewed the auditor’s security policy to make sure they would protect your data. Don’t make assumptions here – I once refused to let an auditor’s PC on our network because we could visually see spyware on the browser. We did not even have to run any diagnostics – the spyware was visible on the browser and the desktop!
- You probably have some type of legal counsel and they will get some pretty confidential data sent to them. Who is checking out their data security (check out this blog on Can you trust your lawyer’s PC)
- You might be using Software-as-a-Service tools, sometimes they might have been picked by the business unit and not by IT. They are hosting your data – does anybody know about their security. And not just their data center security, but all aspects like how secure are their laptops.
Now if I (the admitted security geek) was a lawyer or accountant – I’ll make sure that I told prospective clients about my security, I wouldn’t even wait for them to ask. I would highlight how we encrypt all information. It is a selling point about how good your company is.
But since not every company is that good, I encourage companies to make this part of the process when they hire in outside help. If you have an RFP it should certainly ask about security policies. Even more than the RFP – test it out. When your sales rep visits the office ask if you can see their PC. Then say, “I just stole your PC – do you know who to contact at your company to report this?” Ask “How much confidential data will I be able to access without even needing a password? Is the laptop encrypted?”
While one of your co-workers is busy providing CPR to your visitor, you will have time to print out a copy of your security policy and maybe even share a link to Alertsec Express. We’re all part of a network – your business partner’s security is really your security as well.