Friend or Foe?: Third Party Access Cybersecurity Checklist
In our first two cybersecurity checklists, we talked about what personal identifying information your firm or organization stores, and what goals you should set when you’re developing your employee training to protect that information. However, your employees are often not the only ones who have access to confidential or sensitive information stored as part of your firm’s business processes.
The simple truth is that the more people who have access to sensitive information, the higher risk of that information becoming compromised. That isn’t to say that you should not involve third parties or to disparage the third parties you’re sharing the information with, but it is something you should keep in mind to make sure that you’re not sharing information lightly. It’s a little like the “phone a friend” option in Who Wants to be a Millionaire? – the “friend” you choose to bring in has the potential to make or break the entire game.
If you transmit or allow access to confidential and/or sensitive information to third-parties, you should ask the following questions for each additional party:
☐ Is it even necessary to allow this third-party access?
☐ How much access do they have? Put another way, what prevents them from accessing all data stored by the firm?
☐ Have the third-party's cybersecurity practices been assessed?
☐ When the data is transmitted to third-parties, is it encrypted?
If the third-parties also have devices that can access the confidential and/or sensitive information, you should check the devices for the following items:
☐ Is the device protected or encrypted?
☐ Can the device be remotely wiped of data in the case it gets lost or stolen?
☐ Can only authorized individuals download software to the device?
☐ And lastly, what’s the risk severity level to the overall integrity of the data storage of your organization if the device is compromised? This relates to the checklist above in discussing the separation between what the third-party can access and all of the data stored by your organization.
If you’ve said no to any of the above questions, just like with the prior checklists, this again doesn’t mean that you need to completely cut off this third-party, but rather should serve as a yellow flag that indicates that you need to rethink your sharing procedures, and perhaps have a discussion with the third-party in question.
Now that you’ve done all those evaluations, in the next blogpost, we’ll have some checklists for you to establish your comprehensive incident response plan. We’ve also compiled a packet of printable versions of all the checklists in this series to help you assess your organization’s cybersecurity status and come up with a comprehensive set of policies to set your organization up for success.