Businesses are increasingly reliant on external relationships that require greater than ever access to organisations’ critical data assets. Recent figures indicate that more than half of organisations have experienced a third-party data breach, costing firms millions as they deal with the consequences. In their latest annual review, the NCSC has drawn attention to the threat of supply chain attacks, citing SolarWinds and Microsoft Exchange as recent examples concerning the compromised security of software platforms and service providers.
From a regulatory standpoint, rules like those that apply to Operators of Essential Services (OES) are set to become less narrow in scope and will soon apply to the financial services. This means the disruptive effect of a data breach could land firms with a hefty fine – on top of the financial and reputational damage in the wake of an attack.
Despite these consequences, many firms remain unprepared for such an event. Part of the problem is that it’s too easy to fail at the first hurdle. During procurement, considerations such as cost, reputation, quality and ease of use take precedence over ensuring data assets accessed by third party solutions are adequately protected.
Getting security right – at the very beginning – doesn’t have to be a complex or overwhelming task.
A practical first step is to ensure your security team works in close collaboration with the procurement team from the start of the pre-contract phase.
This simple step will yield many important benefits, including:
- Integration of security throughout the vendor relationship; from the RFP to operational stages, as well as contract closure in the event the application is no longer required
- Assessment of third-party security, proportional to the level of risk
- Contractualisation of the security and risk management strategy along with monitoring processes
- Security assurance planning for the most critical third parties
- Analysis of fourth party risk
- Stressed exit planning to ensure your organisation can react quickly in the event a third party is compromised