Richmond, Surrey, UK: 26 May 2021 – Over one third (38%) of IT professionals say they are very concerned about the security risks third-party providers present to their organisation, according to the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event. More than a quarter (27.7%) admit they have no processes in place to control data and information flow between suppliers, with 20.1% simply having no idea whether any such measures have been implemented.
In addition to the IT professionals who are very concerned about third-party risk, a further 33.9% feel somewhat concerned, with a confident 28.1% saying they are not at all concerned. While more than half (52.3%) of respondents have a process in place to control data flow between providers, only 35.1% actually enforce this policy.
Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (37.9%), followed by cyber insurance (24.3%), proven compliance (21.7%) and national accreditation (16.1%).
Recent research from the Ponemon Institute and SecureLink has found that almost half of all organisations have suffered a data breach via a third party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third party providers as they seek to streamline their operations, widening their attack surface.
Maxine Holt, Senior Research Director at Omdia echoes the value of a full risk assessment for every provider, but recognises the difficulty in keeping on top of them all. “The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritise accordingly. Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Meha Shukla, Researcher with University College London’s Department of Security and Crime Science, believes government should help suppliers that fall short to improve their security posture. She says: “Third-party risk assessments should focus on holistic operational risks, including people, processes and cyber, for critical components of composite services across organisations. The government needs to support third-parties in terms of an approach to a consistent benchmark and the upgrading of capabilities. Organisations must also ensure that the risk reduction strategies they put in place do not stifle innovation.”
Security policies for third-parties should be clearly defined, communicated, and understood, advises independent researcher David Edwards. “Additionally, data protection clauses must be incorporated into the overall contract,” he says. “Where data is processed outside the EU, model clauses should be used – including consideration for the supplier’s outsourced providers. Technical security controls should also be checked; for example encryption, access management and data loss prevention systems.”
Nicole Mills, Exhibition Director at Infosecurity Group, says: “The security risks that lie within supplier ecosystems have been brought to the foreground in the last 12 months, with high profile breaches hitting SolarWinds, Microsoft, BlackBaud and Accellion. However, many organisations still appear to have no real control over what happens to their critical data as it moves along the supply chain. It’s no wonder concerns over third-party risk are so high. IT must put measures in place to control information flow and access, and carry out rigorous security checks and risk assessments before signing on the dotted line.”
The conference programme at Infosecurity Europe (13-15 July at Olympia London) will feature presentations, talks and discussions that provide valuable insight into reducing cyber risk, including within the supply chain. Relevant sessions include:
Benjamin Corll, VP, Cybersecurity, Coats
Keynote Stage, Tuesday 13 July, 15:50 - 16:35
This year’s Infosecurity Europe 2021 event will combine both physical and virtual elements, with selected talks and discussions to be made available online. Registration is open here, and details on the complete conference programme are available here. The event will be run in strict compliance with COVID-19 guidelines, and more information is available here.
In addition to the live event in July, Infosecurity Europe will be running an exciting virtual conference from 8-10 June 2021 focused on rethinking and regrouping as the impact of COVID-19 continues to become apparent. The full agenda is available here.
Drawing 2,596 responses, the Twitter poll was conducted during the week of 17 May 2021. Infosecurity Europe also interviewed its network of CISOs and analysts to gather their views on third-party risk.