Several regulatory bodies have been putting a greater and greater emphasis on performing 3rd party due diligence. With some new information from the 2008 Data Breach Investigations Report from the Verizon Business Risk Team, it might make sense why.
When a breach occurs as a result of a third party or partner, it is almost evenly split if the source was a 3rd party employee or a compromised system or connection managed by the partner.
Criminals used a partner asset or connection 57% of the time. The remaining 43% is made up of remote partner employees (3%), Remote IT Admins (16%), On-site employee (3%) and unknown (21%).
3rd Party Due Diligence is so important. Be sure you are doing business with companies that are under regulatory review themselves, that they are financially strong, that they perform audits such as SAS-70 Type II and security audits such as a Cybertrust TruSecure assessment. This is especially true this year when the economy is straining so many companies. Be sure you are working with companies that aren’t going to cause a data breach of your sensitive or critical data.