Maksim Kabakou - Fotolia
Risk from third party suppliers is set to rise as many businesses adopt new technologies to increase efficiency without the necessary skills to assess and manage the risks, warn industry experts.
“As organisations deploy new technologies, they are outsourcing more to make up for a shortage of in-house skills around things like the internet of things and artificial intelligence,” said Alan Rodger, senior analyst at research firm, Ovum.
“With this rapid expansion of outsourcing, there is increasing risk from reliance on third party suppliers,” he told a seminar on adopting an agile, business-driven approach to risk hosted by RSA Security in London.
As a result of digital transformation, businesses are increasingly reliant of a range of services in the backend that all potentially introduce cyber security vulnerabilities, said Rashmi Knowles, European field chief technology officer for RSA Security.
This is one of the ways that digital transformation is introducing complexity and risk, she said, that organisations need to be aware of and mitigate, especially in the face of the EU’s General Data Protection Regulation (GDPR), which adds liability for data controllers.
“If a data controller puts personal data of EU citizens in the cloud, and the cloud provider suffers a breach as the data handler, the data controller can be held liable as well, so with GDPR, third-party risk is something organisations really need to focus on,” said Knowles.
Another key difference with the GDPR, is that data controllers – like cloud service providers – can now be sanctioned directly by data protection regulators, said Anthony Lee, partner at law firm DMH Stallard. “While many organisations are focusing on the substantial fines under the GDPR, a greater risk for many is the fact that regulators can halt data processing, which would effectively halt the business of any organisation reliant on that processing,” he said.
Javier Sanchez-Ureta, data officer director at Banco Sabadell said that in the banking and finance sector, as in other highly-regulated sectors, supplier risk is an important area of focus.
While some areas are considered too risky or sensitive to outsource, third party suppliers used in other areas are carefully assessed against 14 potential risk areas, and strict rules are included in all outsourcing contracts, he said, to govern the relationship with suppliers.
Key areas include suppliers’ security track record, their ability to identify and respond to data breaches, which banks will often verify by carrying out independent checks. “Where we find gaps, we will work with suppliers to help them improve,” said Sanchez-Ureta.
Knowles recommended organisations conduct all exercises around incident breach response need to involve all third parties. “By doing this together, suppliers know what they need to do if they suffer a breach, and data controllers know what to do if they or one of their suppliers is breached,” she said, adding that this also provides an opportunity to check if security postures are at the same level and for data controllers to help suppliers become more aligned if required and share best practices.
Commenting on third party contracts, Lee said they are becoming increasingly complex. “Sometimes you will have prime contractors with sub-contractors sitting behind them or there are a lot of interdependencies between a number of suppliers into a particular customer, but they are not necessarily in a sub-contractor supply chain, and there is even further complexity added in the light of the GDPR if personal data of EU citizens is involved,” he said.
From a governance, risk and control (GRC) perspective, orgnisations need to ensure that they extend their GRC processes so that they are engineered to cover all enterprise activities wherever the orgnisation’s information of value goes, said Raef Meeuwisse, author and GRC expert.
“Enterprises need to identify their information of value and consider where it travels to, because that defines where they are going to need effective control, security and GRC,” he said, but added that extending GRC beyond the organisation is essential.
All too often, he said, GRC processes end at the network perimeter, and as a result, organisations are relying on procurement contracts and trust beyond that, which is “not a very effective” approach.
Another common problem is that enterprises are failing to invest in GRC assessments for low-cost or no-cost cloud service providers, but it is often these suppliers that often represent the greatest risk because they are less likely to invest in security checks and balances than the more-mature, higher-cost providers.
“It is also important to ensure all GRC requirements are included in the contract from the very start, but security if often an afterthought, and organisations find they have to renegotiate the contract when security gaps start to appear,” said Meeuwisse.
Lee said there is often a lack of maturity in the way that cloud contracts are put together, particularly by smaller providers.
“Consumers of cloud services need to watch out for clauses that allow services to be terminated with very little cause, for example, or that say that the terms and conditions can be changed on notice or that the supplier takes no responsibility for the data it is handling,” he said, adding that the more mature cloud service providers are starting to introduce clauses that meet regulatory requirements, including those of the GDPR.
With specific reference to the GDPR, the panel said organisations working with third parties should ensure that that have documentary evidence to show that they have done due diligence for each of their suppliers, because if that supplier is breached, the data protection authorities are likely to be a lot more lenient in cases where the data controllers have done proper due diligence.
In addition, Lee said organisations can reduce the risk around the use of cloud services by first considering if they have the right to share the data they are planning to put in the cloud with a third party, whether the supplier can prove they have adequate technical and organisational measures in place to protect the data, and whether the contract gives the data controller audit rights over the cloud provider’s facilities, as required by article 28 of the GDPR.
“There also has to be a clause that says the cloud provider will return or delete the data at the end of the contract,” he said, adding that data controllers should consider adding a clause allowing them to have their data back at any time, and giving them the right to send people in to retrieve it.
And if a cloud service provider is tapping into the Azure or Amazon Web Services ecosystem, Lee said organisations need to ensure all contractual clauses flow down.
Highlighting the fact the GDPR conforms to the shared responsibility model when it comes to cloud security, Meeuwisse said one of the most prolific problems is misconfiguring cloud implementations. “Typically, consumers of cloud services fail to activate all the necessary and available security options, exposing themselves to unnecessary risk,” he said.
Another area that cloud consumers need to be aware of, said Meeuwisse, is that even if cloud providers have good policy and procedure documents, they are not necessarily applying them, and if cloud providers have certifications like SSAE 16, they may not be for the cloud supplier’s whole infrastructure and they may not be audited regularly. “Consumers need to ensure the contract they sign up for is specifically covered, because what a cloud supplier does for each customer may vary greatly,” he said.
Meeuwisse advises that organisations ensure at the start they are able to identify who is responsible for the protection of their data. “It can be a complete nightmare to identify who is responsible when the datacentre is owned by one company, the servers are owned by another company, it is operated by a third company, and the contract is with a fourth party,” he said.
“GDPR requires substantial business process re-engineering, but few organisations have resources to do it, and most are trying to deal with it as projects with insufficient resources or are under estimating the magnitude of what they have to do,” said Meeuwisse.
While much of the attention around the GDPR is focused on the potential fines, Knowles said it is the process part that most organisations struggle with, and in her view, presents one of the biggest risks.
“The big game changers in the GDPR relate to processes, all the way from collecting the data, through getting consent for that purpose, ensuring that the data is processed only for that purpose, providing data erasure and amendment mechanisms, to breach notifications,” she said. “All of those things represent potential risks and process work that organisations have to do to ensure they have the right processes and policies in place.
Training is another important area of potential risk that typically needs more attention, said Knowles. “The people who are handling personnel need to understand the policies they are required to follow and the potential consequences of failing to do so,” she said.