October is Cybersecurity Awareness Month, a moment for us to ask: how comprehensive is your platform providers’ security? How do you evaluate them?
When considering a platform or software service provider, two security issues should always be on the table. The first is how much and often they invest in their security. Many organisations initially skimp on security, diverting their resources into product development. That choice comes with risks: when providers try to catch up, they can overlook security issues or struggle to work them out of the system.
The second issue relates to how today’s providers develop their offerings. It’s rare to find developers working in raw code anymore. Instead, many use third-party frameworks and modules that help accelerate their projects. This approach is efficient but leads to digital products relying on many components they don’t control. Are those components secure? Who is tracking that security? And is the service provider that relies on those components adding risk-reducing measures?
Combine the two issues, and there is a clear concern. Unless companies invest seriously in cybersecurity (from initial deployment to ongoing activities such as penetration tests and evaluating third-party components), they likely have a security shortfall. And if your business relies on that service, you are at risk, too.
“In security, we often say, ‘Don’t trust, verify’,” says Jason Shedden, digital identity platform Contactable’s Chief Operating Officer. “But a lot of businesses take it at face value that their digital providers are on top of security risks. We’re a digital identity management platform, so security is essential for both customer and compliance reasons. Not all services have that level of demand on them to scrutinise their security. Many fall into bad security habits. Then when something goes wrong, like a breach, everyone points fingers, and the bad guys win.”
How should you evaluate a service provider? Here are steps to consider:
- Start by understanding your security posture and risks. Ultimately, you cannot expect to offload cyber risks to suppliers—you need to secure your organisation. For example, you might use a lot of sensitive customer information, which is a clear target for criminals. What are you doing through technology, processes and training to manage that risk?
- Question providers to see how they fit your risk profile. Ask general questions about their security investments and culture, but also dig into specifics linked to your risks. To take the above example further, what measures do they take when their service interacts with your sensitive customer information?
- Study their architecture. Many new digital products rely extensively on third-party elements to create the service they offer to you. How much is under their control, and how do they manage those risks? Saying, ‘Our partner invests millions in security so we’re safe’, is not a good answer. Just like your organisation’s security is your concern, their security is theirs, not the third parties they use.
- Look for official recognition. Several standards dictate a company’s security diligence. For data management and security, ISO27001 is the gold standard and signifies a company that takes data-related security seriously. You can also check if they have cyber insurance, which will have its rigorous requirements, and how often they review incident response plans and conduct penetration tests.
- Experience does matter. Pay attention to their experience and capacity. A small and young startup might be unable to handle a large enterprise’s partner security requirements. The level of maturity you need from a supplier depends on what they do. Inexperienced startups offering some level of service to your employees is not a risk. An inexperienced startup handling your company’s Personal Identifiable Information can be.
- Define expectations with service agreements. Which security responsibilities lie with the partner and with the customer? Don’t wait for an incident to find out—use service agreements to codify the security relationship. For example, Contactable’s agreements clearly define the roles and responsibilities when processing customers’ data. It’s a requirement of the Protection of Personal Information Act (POPIA), but it’s also sensible and responsible.
Digital services are excellent. Your business is better off with such providers because they deliver productivity and convenience through innovation. But don’t assume they are taking care of their security—unfortunately, many are not. Know your cyber risks, put those services on the spot, check their security pedigree, and protect yourself with service agreements. That helps ensure less risk and safe transactions for everyone.