When a data breach makes the news, high-profile attacks on data centers and hacking incidents get most of the attention. What you may not hear about is the many data breaches that are caused by basic security lapses, like using the wrong size envelope and exposing sensitive customer information. For lending institutions working with third-party service providers, basic mistakes like these can lead to costly regulatory penalties and litigation. Knowing what to look for when selecting a secure provider can prevent expensive privacy violations and ensure that your most precious data is protected.
To be truly secure, every company needs to take the time to identify the threats and vulnerabilities to its information system. The best way to accomplish this is to implement a risk management program that includes regular risk assessments and a risk mitigation plan. When choosing a third-party provider, make sure it, too, performs risk assessments at least annually or whenever there is a significant operational or technological change to critical business operations.
While risk management programs head off potential problems by anticipating threats, contingency planning addresses security vulnerabilities when something goes wrong. Hence, the third-party service provider you choose should also have a contingency program that includes business continuity and disaster recovery planning, as well as a redundant IT infrastructure. Once again, you will want to verify that it tests contingency plans annually and incorporates identified security gaps into risk mitigation plans.
All the planning in the world won’t prevent a data breach if your provider’s information systems are unprotected. That’s why it is important to comprise a review of providers’ technical safeguards as part of your due diligence. Things to look for include encryption, multi-factor authentication, installation of firewalls, malware detection and protection, strong authentication controls, and 24/7 network monitoring. Additionally, the company should require all of its employees to undergo security awareness training that addresses procedures for information exchange and data handling, password management, and common security pitfalls like social engingeering.
The cost of a data breach can range from thousands of dollars to several million, but the damage to your company’s reputation can be incalculable. Most data breaches occur in less than a minute, but they can take months to detect and mitigate, so implementing defined breach notification procedures is a must. You also want to verify that your third-party providers have auditable service level agreements and cybersecurity liability insurance in the event a breach does occur.
Finding a third-party provider that meets all of your criteria when it comes to security can feel overwhelming. Certification is a great way to validate a provider’s security program, because most security certifications require companies to implement risk management, contingency planning, technical safeguards, and other security controls as part of the assessment process. You should make sure that the company to which you outsource your data is certified against a security framework that addresses the unique requirements of your industry. For example, companies that accept credit card payments should maintain PCI certification, while a SOC 2 report can help lending institutions comply with Gramm Leach Bliley Act and other financial regulations.
In many cases, finding a provider that maintains these certifications is your best option, because they have demonstrated the ability to pass rigorous audits that incorporate a broad range of security requirements. Maintaining multiple certifications also ensures that providers engage in a process of continuous improvement and address any gaps in their security programs.
With cybersecurity incidents and data breaches on the rise, selecting a secure provider by knowing what to look for can protect your data and safeguard your most valuable asset — your company’s reputation.
Harry Stephens is president, CEO, and founder of DATAMATX, a privately held, full-service provider of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations. He serves on the executive board of the Greater Atlanta Postal Customer Council, as a board member of the National Postal Policy Council, Major Mailers Association, and Coalition for a 21st Century Postal Service. He is also immediate past president of the Imaging Network Group, an association for print/mail service bureaus. As an expert on high-volume print and mail, he has frequently been asked to speak to various USPS groups, including the Board of Governors, about postal reform and other issues affecting business mailers. Find DATAMATX at www.datamatx.com.