[BreachExchange] Staying secure when collaborating with third parties
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Aug 21 19:16:50 EDT 2017
http://www.telegraph.co.uk/business/ready-and-enabled/
How-to-share-information-securely/
Partnering with other businesses can leave you open to data breaches, which
is why you should take extra care when sharing information.
It’s pretty impossible to do everything inside your own company, which
means many businesses need partners. While this can make your own business
more efficient, it means sharing your data and other resources with third
parties, increasing the security risk of a data breach.
With the General Data Protection Regulation (GDPR) set to come into effect
in May 2018, there’s never been a better time to make sure that everything
is under control. Under the new regulations, any company that is breached
and has personally identifiable information stolen could be liable for
fines of up to €20m (£17.7m) or 4pc of worldwide turnover, whichever is
greater.
Fortunately, all companies can take a few simple steps to increase security
around business collaboration, and dramatically reduce any risks to which
they’re open.
Check all third-party agreements
Any company that you partner with should have an agreement that indemnifies
you from loss because of a security flaw at their end. Should the worst
happen, and the third party is found to be at fault, you will escape the
enormous financial penalties set out by GDPR.
These clauses will become increasingly common, and it’s likely that your
business will have to sign a reciprocal agreement.
These kinds of clauses are also a good test of the quality of partner that
you’re working with. Any business that won’t sign such a clause is not to
be trusted, and the financial implications are too high for you to continue
working with them.
Perform third-party audits
As good as an indemnifying agreement is, things are still better if a
collaborator doesn’t fall foul of a data breach. For that reason, you need
to know that your partners take security seriously and are processing all
of your data correctly.
You should only ever share the absolute minimum amount of data that a
partner needs to do its job
This is particularly true under GDPR. If, for example, you were working
with a company that processed data on non-compliant servers located outside
of the EU, you’d be in breach of regulation.
Sending some simple questionnaires to your partners is a good method of
performing an audit, as you can get written confirmation that everything is
as it should be. In the worst-case scenario, if a third-party breach
happens, you’ve got a paper trail to prove that you took security and the
GDPR seriously.
Restrict access
Unfettered access to your business systems is a recipe for disaster. When
Target was hacked in the US, the cyber criminals first attacked an external
partner, a heating, ventilation and air conditioning (HVAC) company. Once
the partner company had been breached, the criminals stole the credentials
they needed to enter Target’s systems. As the HVAC company had too many
privileges and access to systems it didn’t need, the results were
devastating.
Regularly review and restrict the levels of access that any third party
has. For big projects, technologies such as hybrid cloud can help. With
this kind of system, you can put the data you need to share into the public
cloud, but maintain a more secure, locked-down private cloud for data that
you need to restrict access to.
Audit your data
Do you know where your data is stored, how it’s stored and who has access
to it? Regular audits can give you all of this information.
GDPR has very strict rules on where you can send personally identifiable
information, how it can be processed and how it can be transported
securely. You need to ensure that all data-sharing is managed in a way
that’s compliant with GDPR.
To reduce risk, you should only ever share the absolute minimum amount of
data that a partner needs to do its job.
Boost security access protocols
All too often, security is focused on internal staff, but the same policies
that apply to your business should be implemented with external partners.
If you require your employees to use two-factor authentication, external
partners should have to use the same protocols.
Remember, it’s your data that we’re talking about, and therefore your
responsibility and your rules.
Have a security breach protocol
Should the worst happen, and a third-party contractor gets hacked, you need
to be able to deal with the issue immediately, which means you need a
breach policy. Part of this should involve the third party, requiring
immediate notification after they detect a threat.
Once you’ve been informed of the problem, your company needs to know
exactly how to block third-party access, audit internal systems to detect a
breach, and reinstate sharing after the problem has been fixed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170821/cc9e5311/attachment.html>
More information about the BreachExchange
mailing list