The digital age threat facing retailers and other high-risk data organizations

May 16, 2018
How to assess third-party service provider risk with SOC

As more retailers adopt an omnichannel strategy, there’s a valid concern within the industry regarding the trustworthiness of data handling and the integrity of their technology partners’ systems. Even with the purest of intentions, the vast majority of technology providers are leaving their clients extremely vulnerable.

For example, looking back at Target’s now infamous 2013 data breach, it was Fazio Mechanical, a humble and by all accounts innocent refrigerator sub-contractor, that was revealed as the access point into Target’s vital system credentials. None of Target’s firewalls, encryption and secure access devices addressed the weakest link in their security chain: a third-party vendor who harmlessly serviced them. After the vendor was infiltrated, hackers spent two weeks scraping and dumping the data of nearly 70 million credit cards to sell on the black market.

Because most retail organizations have some degree of sensitive digital information, key decision-makers must be wary of threats that can enter through all stages of a company’s supply chain. While operations can be outsourced to third-parties, the accountability for operations cannot. It has been shown that whether the breach originates within the institution itself or solely by way of a contracted vendor, financial costs aside, consumers voice their mistrust by taking their business elsewhere.

Organizations with the highest need for risk mitigation are those that store non-public private information such as SSN, medical, financial, proprietary and private information about real individuals. But in this day and age, there are few companies that aren’t at least on the verge of capturing that data even if they don’t realize it. The value of the data collected can quickly increase as multiple collection points are combined together, and it is not enough to simply secure the most obvious targets, such as credit card databases.

Assessing Risk with SOC Reporting 

Developing a formalized process to assess third-party service provider risk can contribute substantially to a company’s bottom line, and the relief is that the most effective measures can cost next to nothing. Organizations of all sizes should request each service provider present a security assessment report that lists the security controls they have in place, including the last time they performed a security review. A SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients and it is regarded as a minimum requirement when considering a SaaS provider.

Any service provider that has access to non-public private information should achieve at a minimum SOC 2 compliance, meaning that it is compliant with the following five Trust Service Principles (TSP); security, availability, process integrity, confidentiality and privacy.

Not only does achievement of SOC 2 compliance demonstrate data security, but there are significant practical benefits of working with a service provider that is SOC 2 compliant including: 

A streamlined audit process

While audits are never an enjoyable experience, having a service provider that has already demonstrated compliance through SOC 2 eliminates at least one of an audit headache by making the process easier, smoother and faster.

Stable operational rigor

Compliance with the TSPs is monitored over a period of several consecutive months, providing proof to third-parties that the service provider has established compliance and continues to meet these strict policies over time.

Access to greater service provider information

The process of attaining SOC 2 compliance generates a report that is accessible to the public which provides an overview of their effectiveness and compliance with the five TSPs. This report provides greater insight to a service provider’s systems and operations and allows potential technology partners to assess whether their security systems meet their standards.

With the increasing ease that hackers have with infiltrating systems, it is imperative that information security no longer remains just an internal effort, but instead must be accounted for in every stage of a company’s supply chain. Security must be a top criterion when making technology investments and now can be quickly and easily assessed with a SOC report. Retailers that take the time to allow a simple probing of their third-party vendors will save them immense costs in both dollars and loyalty. 

About the Author: Roland Gossage is the CEO for GroupBy Inc. Gossage is responsible for the overall vision, strategy, operations and development of GroupBy Inc, a leading eCommerce provider.  Roland is a seasoned professional with over 20 years of experience as a Sales, Marketing, Services, Operations and Development in the Enterprise Software industry.  Prior to GroupBy, Roland was a Vice President at Endeca holding many different leadership positions while there. This followed successful tenures at Cognos, Hummingbird Communications and Pure Data where he helped established these companies in the relative markets.  Prior to beginning his career in software, Gossage was a member is the Canadian Armed Force serving in the Armored Core for 6 years.