Over one-third (38%) of IT professionals say they are very concerned about the security risks third-party providers present to their organisation, according to the latest Twitter poll run by Infosecurity Europe, Europe’s number one Information Security event. More than a quarter (27.7%) admit they have no processes in place to control data and information flow between suppliers, with 20.1% simply having no idea whether any such measures have been implemented.
In addition to the IT professionals who are very concerned about third-party risk, a further 33.9% feel somewhat concerned, with a confident 28.1% saying they are not at all concerned. While more than half (52.3%) of respondents have a process in place to control data flow between providers, only 35.1% actually enforce this policy.
Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (37.9%), followed by cyber insurance (24.3%), proven compliance (21.7%) and national accreditation (16.1%).
Recent research from the Ponemon Institute and SecureLink found that almost half of all organisations have suffered a data breach via a third-party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third-party providers as they seek to streamline their operations, widening their attack surface.
Maxine Holt, Senior Research Director at Omdia, echoes the value of a full risk assessment for every provider, but recognises the difficulty in keeping on top of them all. “The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritise accordingly. Request compliance information and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Security policies for third-parties should be clearly defined, communicated and understood, advises independent researcher, David Edwards. “Additionally, data protection clauses must be incorporated into the overall contract,” he said. “Where data is processed outside the EU, model clauses should be used – including consideration for the supplier’s outsourced providers. Technical security controls should also be checked; for example encryption, access management and data loss prevention systems.”
Meha Shukla, Researcher with University College London’s Department of Security and Crime Science, believes organisations need to assess not only security risks, but also operational resilience and liability risks in the event of disruption of citizen-centric services. “Assessments should focus on holistic operational risks, including physical locations, people, processes and cyber, for critical components of composite services in the entire ecosystem,” said Shukla. “The government needs to support third-parties in terms of an approach to a consistent benchmark and a roadmap for upgrading their capabilities. Organisations must also ensure that their risk reduction strategies do not stifle innovation.”
Nicole Mills, Exhibition Director at Infosecurity Group, said: “The security risks that lie within supplier ecosystems have been brought to the foreground in the last 12 months, with high-profile breaches hitting SolarWinds, Microsoft, BlackBaud and Accellion. However, many organisations still appear to have no real control over what happens to their critical data as it moves along the supply chain. It’s no wonder concerns over third-party risk are so high. IT must put measures in place to control information flow and access, and carry out rigorous security checks and risk assessments before signing on the dotted line.”
Click below to share this article