Over one third of IT professionals are ‘very concerned’ about supply chain security risk, according to Infosecurity Europe poll
Over one third (38%) of IT professionals say they are very concerned about the security risks third-party providers present to their organisation, according to the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event.
More than a quarter (27.7%) admit they have no processes in place to control data and information flow between suppliers, with 20.1% simply having no idea whether any such measures have been implemented.
In addition to the IT professionals who are very concerned about third-party risk, a further 33.9% feel somewhat concerned, with a confident 28.1% saying they are not at all concerned. While more than half (52.3%) of respondents have a process in place to control data flow between providers, only 35.1% actually enforce this policy.
Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (37.9%), followed by cyber insurance (24.3%), proven compliance (21.7%) and national accreditation (16.1%).
Recent research from the Ponemon Institute and SecureLink has found that almost half of all organisations have suffered a data breach via a third party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third party providers as they seek to streamline their operations, widening their attack surface.
Maxine Holt, Senior Research Director at Omdia, echoes the value of a full risk assessment for every provider, but recognises the difficulty in keeping on top of them all. “The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf?
Then prioritise accordingly. Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Security policies for third-parties should be clearly defined, communicated, and understood, advises independent researcher David Edwards. “Additionally, data protection clauses must be incorporated into the overall contract,” he says. “Where data is processed outside the EU, model clauses should be used – including consideration for the supplier’s outsourced providers. Technical security controls should also be checked; for example encryption, access management and data loss prevention systems.”
Meha Shukla, Researcher with University College London’s Department of Security and Crime Science, believes organisations need to assess not only security risks, but also operational resilience and liability risks in the event of disruption of citizen-centric services. She says: “Assessments should focus on holistic operational risks, including physical locations, people, processes and cyber, for critical components of composite services in the entire ecosystem.
The government needs to support third-parties in terms of an approach to a consistent benchmark and a roadmap for upgrading their capabilities. Organisations must also ensure that their risk reduction strategies do not stifle innovation.”
Also Read: GDPR – After Three Years of Implementation, Device Encryption among Enterprises…
Nicole Mills, Exhibition Director at Infosecurity Group, says: “The security risks that lie within supplier ecosystems have been brought to the foreground in the last 12 months, with high profile breaches hitting SolarWinds, Microsoft, BlackBaud and Accellion.
However, many organisations still appear to have no real control over what happens to their critical data as it moves along the supply chain. It’s no wonder concerns over third-party risk are so high. IT must put measures in place to control information flow and access, and carry out rigorous security checks and risk assessments before signing on the dotted line.”
The conference programme at Infosecurity Europe (13-15 July at Olympia London) will feature presentations, talks and discussions that provide valuable insight into reducing cyber risk, including within the supply chain. Relevant sessions include:
Keynote presentation: Enhancing Access and Control over your Supply Chains
Keynote Stage, Tuesday 13 July, 15:50 – 16:35
Jon Townsend, CIO, National Trust; Benjamin Corll, VP, Cyber Security and Data Protection, Coats; Robin Smith, Head of Cyber and Information Security, Aston Martin Lagonda Ltd; Peter Yapp, Partner, Schillings
This year’s Infosecurity Europe 2021 event will combine both physical and virtual elements, with selected talks and discussions to be made available online. Registration is open here, and details on the complete conference programme are available here. The event will be run in strict compliance with COVID-19 guidelines, and more information is available here.
In addition to the live event in July, Infosecurity Europe will be running an exciting virtual conference from 8-10 June 2021 focused on rethinking and regrouping as the impact of COVID-19 continues to become apparent
Drawing 2,596 responses, the Twitter poll was conducted during the week of 17 May 2021. Infosecurity Europe also interviewed its network of CISOs and analysts to gather their views on third-party risk.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates