Almost every time that I attend an event, I’ll end up meeting someone that has had security issues at their company. I’m always surprised how many people have had ransomware or other security problem that didn’t get well publicized. It’s not like everyone has had one, but out of 100 people, it seems there is at least one issue.
Many of us work with third-party companies for either products or services. It’s become standard to use other firms for specific things your organization needs. However, since that’s the practice, many of those firms you partner with have their own partners. After all, they’re using other companies for specialized work just like you are.
These third- and fourth-party relationships have changed our security and risk profiles for the worse. As the numbers of data breaches and security issues grow, it’s likely that someone in your partner network has had an issue, which might mean that you have an issue. This depends on what you have contracted with partners for, but it seems more and more often this is some sort of service provided, often with your data being shared with the partner. Which could mean your data is shared with their partners.
An article recently noted that the number of partners are going up and many organizations are not aware of the risk this creates for them and their customers. There are more and more third- and fourth-party partners who have suffered data breaches, and if they have shared our data, we may have liability. The weakest link in a supply chain is the problem, and many of us have lengthened our supply chains quite a bit without paying attention.
I don’t know that there are good solutions here, but I am seeing more and more companies demanding that suppliers of services prove they have strong security practices and protocols in place. It’s not perfect, but it does help us remember that security is everyone’s business, or at least everyone with whom we share our data.
Steve Jones
Listen to the podcast at Libsyn, Stitcher, Spotify, or iTunes.
Voice of the DBA 
My company faces this daily and I am the one in charge of setting up the interface connections that our primary accounting software uses. While I can limit what these 3rd parties can do to read only ( and even that isn’t always an option) access even then they can be infected and get the kind of data that allows for identity theft.
The problem as I’ve seen it from experience is safety versus money. The decision makers despite ITs efforts seems to always place cutting costs or gaining revenue over security and thats not a surprise.
When you connect numerous platforms/systems that they themselves can not be %100 secured you open yourself to risk. I liken it to how the US Gove despite easily being able to afford it refuses to reinforce the US power grids for protection from solar events like a Carrington even which we are long over due for. They’d rather use those few billions elsewhere because reinforcing the grid has fewer rewards than using the money elsewhere. Like companies who open themselves up to potentially unsecured 3rd parties both are taking a gamble that the bad thing won’t happen, at least not during their watch. It is good to read that entities are banding together to try and implement tighter measures to reduce the risk. Would be nice to see this kind of dedication to security in the Iternet of things realm.
LikeLike