Retail Security: Third-Party Interaction
Today, most organizations are outsourcing critical business operations to third parties. Although third parties offer many benefits to retailers, including providing organizations access to services they don’t specialize in, they can often create additional security risks and exposures. “Because an adversary will always utilize the easiest, simplest and most effective way to break into an organization, a third party with full access to the network poses significant exposure.”(Cole, 2015)
There is a story in the newspaper. A company sent consumer information to a printing facility in an industrial park. The data was just simply copied without encryption or any protection onto the server…show more content… Organizations may believe that when they are transferring the work to the third parties, the risk is also transferred. However, it is not true. The organization is ultimately going to be responsible if PCI data is compromised at the third party. PCI requirements clearly state, “Organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected.” The article provides guidance on understanding, recognizing and minimizing the risk of exposure from third parties.
Risk Associated with Third Parties If a retailer decided to outsourcing any business operations to a third party, no matter what the third party does or how is it doing, the retailer is still liable and responsible for any breaches. Although a third party can greatly increase a retailer’s productivity and cost effectiveness, we should also consider the cost of breach, which could be a huge amount. It is very possible that a organization could save thousands of dollars per year from outsourcing, but the potential lose due to poor security could be millions of dollars. So we have to perform a cost-benefit analysis that compares the cost savings of using a third party with the cost of a breach. In the article, the author has not mentioned the types of third-party risk. I find that there