Third party data theft is on the rise and recent hacks are scary examples of the consequences of not knowing who has access to your data. Apparently many firms aren’t dealing with third party security well enough – but there’s no time like the present to put better/faster/stronger practices in place!
Consultancy firm Booz Allen Hamilton reckons that third party breaches are becoming increasingly common, and many companies just aren’t equipped to deal with it. Drew Wilkinson, cyber risk expert at Booz has many pearls of wisdom to drop all over the shop.
Speaking to tech news site Computer Weekly, he said: “The problem is pervasive, but failure to deal with it is due to some pretty basic failings, such as organisations not knowing all their suppliers.
“Even the US Internal Revenue Service [IRS] data breach was due to the compromise of a feature on its website that was hosted by somebody else. Organisations should spend time securing the most valuable data and knowing who has access to it.” True story Drew, true story.
The company highlights the fact that problems come about when businesses don’t understand key risk indicators. They might not be getting relevant info or training managers and employees up properly.
Sharing info between businesses is important for transparency and learning, and educating staff is also a must, including those who manage third party relationships – make sure you don’t share login info with suppliers too.
Our security arm Secarma has a heck tonne of advice.
They say that the most important thing is to do due diligence, and check your suppliers and third parties before you hop into a business relationship with them. Once that’s all done, it’s then important to stay at this level with regular second party audits of your suppliers to make sure they’re maintaining their information security controls.
It’s also important to include any third parties within your risk assessment and use the results to plan your risk treatment response.
Make sure to establish what access third parties have in your systems, and that means asking a whoooole lotta questions. Are they doing it securely? How much access do they have? Are they using multi-factor authentication? Are the systems logically or physically segregated to limit the impact of any breach via a third party connected system? What method of access do they have? Is it into the company’s corporate network or physical access into the building?
Make sure any third party with access to your systems sticks to your information security policies and include them in these policies and procedures. Include clauses in terms and conditions with any third party suppliers to safeguard the interests of the company.
Under ISO27001:2013, all these factors are included in ‘Clause 4 – Context of the Organisation’ which establishes the need to have a clear internal and external context of your business and who the interested parties are and their interfaces with your information security system. These inputs help inform the scope of the information security management system.
There’s no longer any excuse for sticking your head in the sand – there can be no weak links in the chain otherwise the whole house of cards (aka your business) will come tumbling down (and other mixy metaphors).
To find out more about the security solutions on offer at UKFast, take a look at our website or give us a call on 0208 045 4945.