Third party security breaches: How to ensure your data is safe on others’ systems
31 August 2017
The reality of today’s cyber security landscape is that a company’s security extends to its third-party relationships.
Whilst many businesses are still grappling with their own IT security, it is becoming increasingly evident that organisations must consider their security strategies not only from an internal perspective but across the entire supply chain.
Many companies, particularly those with tight regulatory bodies or running against standards such as ISO 27001, will understand the need for managing partners and suppliers in terms of data security. Different types of data can, in effect, be classed as asset-types and can then, of course, be categorised and then have suitable controls put in place. You have to identify what you are trying to protect before you’ll see the potential issues revolving around it.
In theory, many businesses are not going to be able to easily control the security of their data once it’s sat on a third party’s network, somewhere in the supply chain. It can, however, check the controls that the third party has in place and sign them off as acceptable or demand tighter controls, e.g. Data Leak Prevention, encryption at rest etc., if necessary. This check should firm part of the outsourcing contract and it makes sense if both parties work to some sort of standard to ease integration and integrity of documentation, such as ISO 27001.
Businesses and their partners in business must also take steps to minimise their own IT security risks in the event of a compromise. Many IT users fall into the habit of using similar passwords, if not an identical one, for all their applications, leaving the business vulnerable. To avoid the risk of data leak organisations should consider implementing a unique password for every application or account, and for each user.
Using multi-factor authentication will add another layer of security, making it more difficult for a cybercriminal to use stolen third-party credentials. The rise of the GDPR will go some way in making businesses understand the data they hold and how they process it, both for themselves and others. In addition, by providing employees with real-life examples where security has been breached, firms can help their staff to understand their role in maintaining an organisation’s IT security, and remind them that they are in fact the first line of defence.