Hiring contractors? 5 areas to check information security practices

By Rebecca Herold, CEO, Privacy Professor®

Do you know how well your vendors, business associates and contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.

Late last year, a study revealed that 33 percent of breaches in the retail industry were due to vulnerabilities caused by third-party vendors having access to sensitive information. The largest healthcare breach in 2014, which affected 4.5 million patients, came from a contractor of a hospital system.

The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices?

I’ve led more than 300 contractor information security and privacy assessments. I’ve see a lot of crazy things, risky things and downright incredibly stupid things. I’ve also seen a lot of common information security and privacy problems that contractors bring to those hiring them.

As a start to your contractor information security and privacy management activities, here are five things to check on when contracting another company to perform services on your behalf, especially when it involves personal information.

  1. Documented information security and privacy policies and procedures. And not only exist, the employees also need to know they exist, and they need to be actually following them. The policies and procedures also need to be kept updated to address changes in the business environment and risk environment and to meet changes in legal requirements. A large portion of the contractors I’ve assessed said they had policies and procedures, but when I asked to see them, they replied something to the effect of, “Oh, they are undocumented but understood policies. We are a small company; we share our policies by word of mouth.”

  Make sure contractors have documented policies and procedures. If they aren’t documented, they don’t exist.

  1. Obligations to appropriately safeguard personal information. In the past year I’ve actually had more than a dozen contractors state that they did not believe that they needed to safeguard personal information if that information is discoverable online. What blockheads are continuing to spread this horrible advice? Worse yet, some of these contractors with this belief were even selling the personal information to create another revenue path.

  Make sure your contractors understand that they must appropriately secure, and not share, the personal information you’ve entrusted to them.

  1. Training or awareness activities. Many of the activities contractors say they do for training are not training. One contractor I assessed said its training was a message sent to employees telling them to read the information security policies. This is not training. Another contractor copied, verbatim, the entire Health Insurance Portability and Accountability Act (HIPAA) regulatory text and pasted it into 300 PowerPoint slides, and then told workers to “view” the “training” slides. This is not training.Information security and privacy training, as well as awareness communications, must actually provide educational value.

  Make sure your contractors provide regular information security and privacy training to workers and regularly send awareness reminders.

  1. Risk assessments. A large percentage of the contractors I’ve assessed, around 25-30 percent, had never performed a risk assessment. An additional percentage, also around 25-30 percent, had performed a risk assessment once, and that was it. Some of those solitary risk assessments were performed more than 10 years ago, and one was 17 years ago. Yes, these two types of contractors represent around half of the contractors. You cannot effectively secure information if you do not know where your risks are located and what kind of risks you have. These types of contractors are leaving your organization vulnerable.

   Make sure your contractors have a risk-management process in place.

  1. Basic security tools. Many contractors don’t use encryption, audit logs, mobile computing security tools, or patch management. Even contractors providing IT services don’t use these tools. Over the years I’ve found a large majority of contractors did not use encryption on their websites, even for forms where they were collecting personal information on behalf of the client who contracted them. Contractors also often do not have their mobile devices encrypted, and most also don’t encrypt sensitive information they send using emails and text messages. And surprisingly, many contractors still do not use comprehensive anti-malware tools or firewalls on personal devices. Even if these basic security measures were required within the SLA, the requirement was often not communicated to contractors.

Make sure your contractors have basic security tools implemented, beyond just including within the contract and/or the service-level agreement (SLA). Your contractors need to use basic security tools to protect the information you’ve entrusted to them.

You cannot outsource your responsibility

This is also a very important thing to know: Generally, a hold harmless clause in the contract to try and relieve all responsibility for the bad things that may happen that are caused by the contractor will not alleviate you of all accountability for breaches and other bad things that may occur as a result of the vendors’ actions, vulnerabilities, or unaddressed threats. I’ve heard this from more than half of the organizations I’ve worked with in the past five or so years.

I am still hearing way too many organizations state something very similar to: “We outsourced so we wouldn’t be liable for the security of the information when it is under the care of the outsourced entity.” It simply does not work that way, folks, for many reasons. Bottom line: Your responsibility for securing and using information appropriately follows that information to whomever you have contracted.

Remember …

Organizations will be judged by the company they keep and the businesses they contract. If organizations don’t want to become proactive about their oversight of those contracted entities, I have a question for them: Are they ready to pay for the security and privacy sins of their contracted entities?

Want to know more about how to effectively create a contractor information security and privacy oversight management process or program? On May 28, I am giving a free webinar for ISACA: An Effective Framework for Third-Party Information Security and Privacy Oversight & Risk Management. Consider attending. It will be recorded and available for future viewing.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

About the Author