More than a quarter admit they have no processes in place to control data and information flow between suppliers, with 20.1 percent having no idea whether any such measures have been implemented.
In addition to the IT professionals who are very concerned about third-party risk, a further 33.9 percent feel somewhat concerned, with a confident 28.1 per cent saying they are not at all concerned. While more than half of respondents have a process in place to control data flow between providers, only 35.1 percent actually enforce this policy.
Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (37.9 percent), followed by cyber insurance (24.3 percent), proven compliance (21.7 percent) and national accreditation (16.1 percent).
Recent research from the Ponemon Institute and SecureLink has found that almost half of all organisations have suffered a data breach via a third party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third-party providers as they seek to streamline their operations, widening their attack surface.
Omdia Senior Research Director Maxine Holt said that a full risk assessment was important for every provider, but recognises the difficulty in keeping on top of them all.
“The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritise accordingly. Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third parties must be able to ensure that data transfers are consistent with what has been agreed”, she said
Security policies for third parties should be clearly defined, communicated, and understood, advises independent researcher David Edwards.
“Additionally, data protection clauses must be incorporated into the overall contract,” he said. “Where data is processed outside the EU, model clauses should be used – including consideration for the supplier’s outsourced providers. Technical security controls should also be checked; for example encryption, access management and data loss prevention systems”, he said.
Meha Shukla, Researcher with University College London’s Department of Security and Crime Science, said organisations need to assess not only security risks, but also operational resilience and liability risks in the event of disruption of citizen-centric services. She says: “Assessments should focus on holistic operational risks, including physical locations, people, processes and cyber, for critical components of composite services in the entire ecosystem. The government needs to support third parties in terms of an approach to a consistent benchmark and a roadmap for upgrading their capabilities. Organisations must also ensure that their risk reduction strategies do not stifle innovation.”
Infosecurity Group Exhibition Director Nicole Mills, said: “The security risks that lie within supplier ecosystems have been brought to the foreground in the last 12 months, with high profile breaches hitting SolarWinds, Microsoft, Blackbaud and Accellion. However, many organisations still appear to have no real control over what happens to their critical data as it moves along the supply chain. It’s no wonder concerns over third-party risk are so high. IT must put measures in place to control information flow and access, and carry out rigorous security checks and risk assessments before signing on the dotted line.”