How well do you really know your third-party vendors?

Posted on Jun 6, 2014 · 3 min read

secured with a hasp and a padlockSure, you’ve shared a couple of laughs on a call, and you know they know their way around PowerPoint, but would you trust them with your social security number or your customers’ credit card information?

It seems like every day, a new retail giant is forced to publicly admit that they’ve been foiled by hackers or cyber-criminals. Target may be the company that most consumers currently associate with the inconvenience and anxiety caused by a security breach, but they’re not alone. Adobe, Lowe’s, eBay, the Sony Playstation Network, Sears, Neiman Marcus, and Michaels have all made headlines in the last year because of security breaches. According to the 2013 Trustwave report, 63% of data breaches were linked to a third-party. In Lowe’s case, the home improvement giant’s delivery drivers’ personally identifiable information was exposed by a third-party that was hired to monitor driver safety.

If it could happen to Lowe’s, eBay and Target, couldn’t it happen to you? It may not make the news when smaller businesses get hacked, but retailers of all sizes are vulnerable to cybercrime. Nearly a BILLION personal records were exposed in data breaches last year. That is a lot of angry customers. A study by Javelin Strategy & Research found that 1/3 of shoppers say they won’t continue shopping with a retailer after a data breach.

That’s why it’s important to ask your current third-party consultants and any third-party vendors you’re thinking of bringing on board a few key questions about their own security policies. So after you ask how their weekend went, be sure you cover all your bases.

  1. What are their password policies? Weak or stolen passwords are a major cause of data breaches. Do you know for sure that they’re not using “password” as their password for your account and the accounts of all their other clients? Make sure their password policies conform to your own by requiring strong passwords, and that they use unique passwords for each of their clients’ systems.
  2. Do they store your customers’ PII (personally identifiable information)? At SheerID, we never see any of the authoritative data we use to verify that shoppers qualify for exclusive offers from companies like Spotify or Costco. We just verify that there is a match. If you are working with a third-party vendor that has access to your customer data or collects data from your customers as part of their service, it’s important to know what they do with that information, how they store it, and whether or not it is hashed or encrypted.
  3. What would they do if there was a security breach? It’s like preparing for a massive zombie outbreak. It’s important to have a plan in place, even though you hope you’ll never need it. What would happen if a breach occurred? Who would contact your customers and what information would your customers need to respond? Who is responsible for financial losses? The average U.S. company loss due to a data breach in 2013 was $3.5M, according to the Ponemon Institute.

Asking your third-party partners a few questions up front can protect your customers’ data, your company’s reputation, and your bottom line.

Angela Modzelewski by Angela Modzelewski