Business partners, third parties can pose security risk

The recent theft of 13,000 customer records from a major credit reporting agency shows why it’s important for companies to ensure that their business partners are following strong security practices, analysts and users said.

Ford Motor Credit Co. revealed earlier this month that someone posing as a Ford employee had collected the work and home addresses, Social Security numbers, account numbers and credit histories of 13,000 people from Experian Information Solutions Inc.

The theft is believed to have been carried out during a 10-month period by someone who may have pilfered an access code within Dearborn, Mich.-based Ford Motor Credit to gather credit information from Orange, Calif.-based Experian. The theft is now under investigation by the U.S. Federal Bureau of Investigation.

Although the details of the case are still unclear, the incident serves as a reminder that companies should mitigate their exposure to this kind of breach by ensuring that their business partners are paying due diligence to security, said John Pescatore, an analyst at Gartner Inc. in Stamford, Conn.

That means insisting upon periodic security audits and vulnerability assessments of all business partners and third parties with which a company may link to, Pescatore said.

Despite the growing need to take such steps when linking up with third parties, companies sometimes fail to do so because of the additional cost and effort involved, said Pete Lindstrom, an analyst at Framingham., Mass.-based Hurwitz Group Inc. That’s a mistake that could lead to lawsuits for failure to do due diligence. “Unfortunately, it seems that some people just don’t move until there is a court case,” he said.

“When two companies partner together, they are both putting their security at risk,” Pescatore said. It’s of little use when only one company has a strong set of policies and the other doesn’t, he said.

Washington-based human resources and financial management firm Watson Wyatt Worldwide insists on performing security audits on all vendors it outsources to, said David C. Hollingsworth, the company’s director of enterprise applications.

“We’re always concerned with security risks, whether it’s with our own network, or with services outsourced to a third party,” Hollingsworth said. “For all our third-party arrangements, we have very specific requirements on physical separation, trust relationships and security procedures.”

The use of virus scanning and removal tools and firewalls are also among the typical requirements mandated in vendor contracts, he said.

Providence Health System in Portland Ore., doesn’t allow anonymous log-ins into its systems, and it keeps log-ins for all external groups disabled by default.

“[External users] must first call and have us enable the access,” said David Rymal, Providence’s director of technology. In compliance with the Health Insurance Portability and Accountability Act, Providence also has agreements concerning the confidentiality of its information with each of its business associates.