Outsourcing has become the bedrock of business in the digital world. Need marketing support? An app developer? Product packaging? Whatever the task, there’s a third-party out there that can do the work for you.
But did you ever stop and think about your third parties’ third parties? Just as your business acquires new skills and saves time and money through outsourcing, so too do your outsourcers.
We call your suppliers’ third parties: fourth parties. And, they’re a potent data security risk you need to know about.
What’s a fourth party?
Think of your business like a mindmap. Your company is at the center of your page, and your third parties radiate out around you. But each third party also has their own links to suppliers and contractors, making the mind map even bigger, so it almost looks like a web.
Now, it’s completely expected for suppliers and contractors to work with third parties. It’s just how business gets done these days.
However, failing to pay attention to the security and compliance complications of fourth parties spells trouble, especially in the age of cloud apps and effortless data sharing.
What is fourth-party risk?
Without you realizing it, it’s entirely possible that your third-party collaborators are sharing your files and sensitive data with another organization or individual.
Usually, there’s no malintent here. Organizations often use freelancers and contractors to assist them with projects, particularly in agency environments.
Typically, to do this, they’ll harness tools like Google Drive, Box, Slack and Teams to seamlessly share files, links and other resources.
Here’s where issues start to arise. Often, not enough care or thought is given to how and why files are shared. It’s common for third-parties to forward on all the files you’ve given them, simply because it’s easier and takes less time. But what if some files have confidential information? While your third party might have passed your risk assessment, who’s to say your fourth party has the rights to read this information?
Another big problem is sharing-links. These are great for collaboration but, if managed negligently, these links could leave your internal documents exposed to the whole internet, where anyone could find and exploit them. Just one misconfiguration like this could result in a huge data breach, and a hefty compliance fine to go with it.
Quite quickly, you can see how good willed data sharing between third and fourth parties leads to out-of-control chaos. People who you don’t know and who you haven’t vetted might be accessing, sharing and editing your sensitive information. And unintentionally putting your company at risk of data leakage and theft as a result.
Should you be concerned about fourth-party data sharing?
In a word, yes. The less control you have over your data, the more vulnerable you are to all sorts of cyber incidents.
With unrestricted information sharing, the most potent, direct risk is data theft and leakage, which can lead to hefty compliance fines. Under laws like HIPAA and the GDPR, you need to maintain control of sensitive information at all times.
But that’s just the tip of the iceberg. If the documents you share with third-parties contain things like customer information or employee data, you open the doors for online fraud.
If malicious actors get their hands on PII or PHI, which is much more likely when you’re unable to adequately protect it, they could use this data as the basis for all sorts of attacks – even taking over employee accounts if they manage to find the right information!
With so much at stake, getting a handle on fourth party risk is vital. We’ll explore how to in the next section.
How to manage fourth-party data sharing
Managing fourth-party data sharing can seem like an impossible task. After all, you can’t see or control what third and fourth parties do with your data. In fact, you sometimes struggle to even control how employees interact with your sensitive information.
The answer, on all accounts, lies in curtailing information sharing at the source. You need a quick, repeatable and reliable way to ensure your people only share non-sensitive information with third-parties. Doing this will completely eradicate the risks of PII, PHI and confidential information spreading out of control.
How to do it? With SaaS-based data loss prevention (DLP).
Tools like Polymer DLP automate the process of discovering and protecting sensitive information in your cloud apps—like Slack, Box and Google Drive. Using compliance-based policy templates and the principle of zero trust, our tool works autonomously to protect your sensitive data from being overshared in real-time, in both structured and unstructured formats.
Putting this in context. Imagine one of your team goes to share a Google Drive file with a third-party. Working behind the scenes, our tool quickly scans the document for evidence of sensitive data. It makes a lightning fast judgment on whether your user can share the document, information needs redacting or the action should be blocked.
At the same time, we’ve embedded micro-learning into our engine. Polymer DLP doesn’t just stop data loss, it teaches your people why certain actions are risky at the same time. Over the course of just a month, this approach is proven to dramatically reduce user error and negligence.
Of course, in some instances, it will make sense for your employees to share sensitive information with a third-party. In these cases, process is everything.
You need to put in place clear templates and agreements for your third parties to sign, highlighting that they aren’t allowed to share your sensitive information with any fourth-party.
Ideally, you’ll also only build relationships with suppliers that have achieved a security standard like ISO 27001 or SOC 2. These accreditations demonstrate that your third parties take security seriously, and are much less likely to trigger uncontrolled data sprawl.
If you’re worried about data security in your SaaS apps, start with our free Slack risk scan. In just minutes, you’ll learn about the extent of sensitive data exposure in your workspace.
