An integral part of some businesses is to have and / or allow sub contractors or other businesses to access information (Intellectual Property) that could be considered highly confidential. If this information is exposed to the outside world then that business could lose critical information that is the edge over their competition.
There are times when accessing this information by companies like solicitors and accountants can compromise the security envelope of the parent company. That information does not have the same level of protection that the parent company uses to protect it. This is one of the reasons that cyber criminals target these types of business as they are not only easier to “crack” but also when cracked the information has a good chance of being less protected.
There are a number of controls that you can put forward as a business that will allow more leverage over that information when it is not under your control. I would suggest, however, that the best protection you can enforce is to ensure that the critical information does not leave your control.
This may not be feasible due to financial and compliance requirements. So what can you do about the situation to enforce their access and security has the same control that your business data as you?
Is there agreement in place and has it been signed by someone at the correct level?
One problem with protecting your information when it is out of your control is to ensure that there is some level of a service level agreement (SLA) in place. The SLA has to state what level of protection, access, auditing and reporting is required to ensure the protection of the information.
Once the subsidiary has been informed about the security requirements around the data, for instance the financials in the case of an accounting firm, the next step is to make sure that the correct management level executive has signed off on the SLA. It is no use getting the IT manager / MSP to sign off on the protection when they do not have the authority to do so. Go to the top and work down to the appropriate level.
What are their security standards like?
Getting an accountant or solicitor that treats your information with the same reverence is critically important to your cyber security protection. The cyber criminals regularly target these types of businesses because they know that in most cases the information is less well protected than if it was only stored in the parent location.
Not only will the cyber criminal get away with the service firms information but they will also get away with the critical information of your business.
Will their incident management team inform you if something happens
What happens if the subsidiary is targeted and they actually get into their system. Does your SLA ensure that in the event of a breach that you will be informed. In most situations this information will not be forthcoming. This is because they are scared of losing the contract as well as the damage it can do to the reputation of the firm.
In addition to this, in most cases, unless they deploy sensitive high end information it could be weeks of months before they actually know tha they have had a breach. This is where auditing and reporting is critical to your enforcement of your security requirements. To make sure that YOUR information is safe and secure you have to enforcce the fact that any suspicious access is reported to you as soon as possible.
Do they have an off shore component, if so how much access will they have to your information
In most cases this is a very important question that you need to be asking. If the answer to this question then you could have a deeper problem that expected. If any part of the subsidiaries information is help overseas, especially in countries like china, Eastern Europe or India I would be even more concerned.
If there is a breach can I terminate their contract
This depends on your SLA. But in most situations they would have breached the agreement and that leaves you a chance to recover from the problem.
To most businesses this information is probably not very important. To others who actually have financial, personal or intellectual property on locations outside their organisations then this is very important. To this businesses I ask the question – if the security of the data when it is off site is less than the security internally, why are you even contemplating sending the information off site.
When it comes to CPA and legal requirements I would suggest that they come to you not the data go to them. It is just a risk analysis problem, the cost of exposure of that information against the cost of having them on your site, which is the most expensive.