No matter the size of your company or what industry you operate in, your data is constantly at risk. Hackers breached a staggering 37 billion user records in 2020, a 141% increase from 2019. The typical data breach costs a company $3.86 million, with costs swelling to $4 million for companies with remote workforces.
Some breaches force companies to pay ransom to hackers. Fitness device-maker Garmin paid $10 million to ransomware hackers that shut down the company’s software for nearly a week in 2020. Companies also pay fines for not meeting data protection regulations. In 2018, British Airways paid $231 million in fines for non-compliance with General Data Protection Regulation (GDPR) standards.
Beyond ransom payments and fines, breaches bring reputational damage that leads to customer mistrust and lost business opportunities. Add it all up and it’s clear that cybersecurity breaches are nothing short of a nightmare for any company operating in the digital space.
Minimize Risk By Carefully Vetting Service Partners
Companies attempting to minimize risk must not only worry about their cybersecurity practices but those of their partners. For example, when your company entrusts sensitive customer information to cloud storage providers or shares records with partners that help manage your workforce, you must understand how these partners protect their data. Working with partners that do not adequately safeguard critical employee or customer information means risking your reputation, financial viability, and ability to do business as usual.
The good news is that companies take data protection more seriously than ever. Some companies create their own security policies, procedures, and systems. Others meet recognized third-party standards.
While holding an external certification might seem to offer a greater level of protection, companies must take time to understand exactly what specific third-party standards entail. Read on to learn about three common ways companies verify their security practices:
- Joining the Cloud Security Alliance
- Achieving SOC 2 compliance
- Achieving the ISO 27001 certification
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a global network of SaaS organizations, security providers, and companies that use the cloud.
While companies must undergo rigorous audits to achieve SOC 2 or ISO 27001 compliance, becoming a CSA member is a less arduous task. Companies join the CSA by paying membership fees and meeting basic data security requirements. In return, they receive benefits including general cybersecurity counsel, thought leadership from industry leaders, and access to networking events.
The CSA offers several certification programs that go beyond basic membership. The most popular is the Security, Trust & Assurance Registry (STAR). This certification consists of two tiers:
- Level 1: Designed for companies that operate in a low-risk environment and want a cost-efficient certification, this level requires companies to undergo a self-assessment based on the GDPR Code of Conduct.
- Level 2: Companies that operate in a medium- to high-risk environment pursue this level of certification, which requires a third-party audit. Companies must hold an ISO 27001 or SOC 2 certification before earning STAR Level 2 certification.
- STAR-compliant companies can also achieve the CSA Trusted Cloud Provider certification. To become eligible for this certification, companies must go through training programs and meet CSA volunteering requirements.
Cybersecurity and IT experts recognize CSA membership as a good baseline step for companies to improve data protection practices. However, because membership requirements depend on which certifications—if any—a company achieves, the CSA is not a one-size-fits-all data protection solution. Check with your partners to learn precisely how their CSA involvement strengthens their data security.
Systems and Organizations Controls 2 (SOC 2)
SOC 2 sets a series of compliance requirements for companies that store data on the cloud. SOC 2 is widely regarded as the North American standard for data protection.
The American Institute of Certified Public Accountants (AICPA) introduced SOC 2 in 2010 to standardize the way companies protect sensitive information. Companies become compliant with SOC 2 by going through a third-party audit. These companies choose from five “Trust Principles” that they want to attest to, or show that they fulfill. The five principles include:
- Security: Requires companies to have protective measures like firewalls, authentication requirements, and systems that detect intrusions.
- Confidentiality: Ensures companies have strong systems for protecting confidential data.
- Availability: Validates that digital systems can always be used by customers, even when security breaches occur.
- Processing Integrity: Confirms that companies correctly and completely collect their data during audits.
- Privacy: Requires companies to process data under the AICPA Generally Accepted Privacy Principles.
When vetting a partner that has undergone a SOC 2 audit, pay attention to whether the partner has gone through a SOC 2 Type 1 or Type 2 audit. Type 1 audits assess a company’s security protocols at a specific point in time, while Type 2 audits review a company’s security over a six-month or 12-month period. SOC 2 Type 2 audits are more thorough, though the recency of the audit is also relevant. Company security practices can become stronger or more relaxed as time passes, so take the time to understand your partner’s most current security practices.
SOC 2 standards are rigorous, regardless of whether a company goes through a Type 1 or Type 2 audit. Though it’s essential to learn which type of audit your partner underwent, how recent the audit was, and which principles they attested to, you can generally rest assured that a SOC 2-compliant company meets North America’s most stringent data security standards.
While SOC 2 is regarded as the North American benchmark for data protection, ISO 27001 is recognized as the leading worldwide security standard.
The ISO 27001 is a specification published by the International Organization for Standardization (ISO). The ISO establishes global benchmarks for a range of procedures, including everything from delivering services to supplying materials. ISO 27001 sets requirements for how companies establish, implement, maintain, and continually improve their information security management system (ISMS).
Complying with the ISO 27001 standard requires companies to take the time to define, organize, and unify their data protection processes and procedures. Ensuring a cohesive approach is especially advantageous for fast-moving organizations. Companies that grow quickly often introduce protection practices on the fly, resulting in patchwork security systems that do not provide maximum security. By achieving the ISO 27001 specification, companies prove they take a holistic approach to security, giving their partners peace of mind that they go above and beyond to safeguard their sensitive information.
The ISO 27001 standard also requires companies to continuously monitor and improve their ISMS. Consider, for example, Velocity Global, which holds an ISO 27001 certification. Velocity Global undergoes quarterly internal audits and annual approvals. Constant monitoring ensures Velocity Global’s ISMS protects partners against the latest and most dangerous cyber threats. Furthermore, Velocity Global not only corrects incidents but learns from them, increasing its ability to predict future risks. By regularly improving its ISMS, Velocity Global ensures its ISO 27001 certification is not a one-and-done procedure but a living, breathing system.
Which Data Security Standard Should You Expect Your Partners to Uphold?
There is no universally accepted best choice for a third-party data security standard. Choosing the right partner depends on your needs—and how serious you are about safeguarding data.
If you work with a CSA partner, take the time to understand exactly what their CSA involvement entails. While basic membership gives a company helpful resources to improve security practices, membership requirements vary. It’s up to you to understand exactly how that company uses its CSA affiliation to strengthen data protection.
Both the SOC 2 attestation and ISO 27001 certification, on the other hand, are nearly unanimously recognized as the standard-bearers for data protection. Choosing between partners that comply with SOC 2 and ISO 27001 comes down to one major question: where do you do business? SOC 2 is geared toward North American companies, while ISO 27001 meets global standards.
Confidently Protect Your Data Worldwide With Velocity Global
As the world’s leading international expansion provider, Velocity Global is committed to protecting partner data. Our ISO 27001 certification is a testament to that commitment. By complying with ISO 27001 standards, Velocity Global gives its partners the confidence that their data—and that of their global remote workforce—is guarded with the highest levels of care, no matter where they do business. To find out how Velocity Global safeguards sensitive information for partners in over 185 countries, reach out to our experts today.