UnHacked 45. How to Protect Your Business When Using 3rd Party Integrations

Key Points

Introduction

• This episode features just Justin and Mario (lean team)
• UnHacked podcast focuses on preventable security breaches (97% of breaches are preventable with basic measures)
• The hosts work with businesses to protect them from hackers, government audits, and legal issues

Third-Party Integration Risks

Justin's Story

• A healthcare client wanted to implement a third-party integration
• Justin reached out to the vendor for a Business Associate Agreement (BAA) and information about data access
• The vendor was unresponsive until the meeting, where they improperly presented a BAA for signature
• Justin halted the process due to security and compliance concerns
• The client was relieved that Justin had reservations, validating their own concerns

Mario's Story

• Mario previously developed an integration for medical offices that connected phone systems with appointment scheduling software
• The integration only pulled three data points (first name, phone number, appointment time)
• Despite limited data collection, the integration had access to entire medical facility databases
• Initial security measures included encryption but lacked two-factor authentication
• Mario eventually discontinued the service before any breaches occurred
• Reflecting back, he realized the significant security risks they had created

Supply Chain Attack Concerns

• Third-party integrations create a "supply chain" of potential vulnerabilities
• IT providers work with numerous vendors who have their own vendors
• Organizations have limited control over third-party code and security practices
• External code may use unknown libraries or make unauthorized data access

Schedule Your Free Security Assessment

Best Practices for Evaluating Third-Party Integrations

Information Collection and Storage

• Determine exactly what information the third party will access
• Verify that data is encrypted in transit and at rest
• Establish data retention policies (Mario's example: purging data after a few weeks)
• Follow the principle: "Don't store data you don't need"

Vendor Assessment

• Verify SOC 2 compliance (preferably Type II)

• SOC 2 requires extensive evidence, not just claims
• Certification process indicates established, serious vendors

• Identify where data is stored and how it's protected
• Determine who has access to the data (employees vs. subcontractors)
• Conduct formal vendor risk assessments

Internal Processes

• Regularly audit software inventory across the organization
• Watch for "shadow IT" (unauthorized software)
• Be particularly cautious of remote access tools like TeamViewer

Main Takeaways

1. When evaluating third-party systems, investigate their history, reputation, and security certifications
2. Conduct thorough vendor risk assessments before integration
3. Prioritize security over convenience and cost
4. Remember that the cheapest option may indicate a newer, less secure vendor

Closing Thoughts

The increasing move to cloud services has made security more complex, as integrations create more potential vulnerabilities throughout the supply chain. Businesses must be diligent in assessing these risks to ensure they don't compromise their security posture.