More than a quarter have no control over their data as it flows between third-parties
Richmond, Surrey, UK: 27 May 2021 – Over one third (38%) of IT professionals say they are very concerned about the security risks third-party providers present to their organisation, according to the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event. More than a quarter (27.7%) admit they have no processes in place to control data and information flow between suppliers, with 20.1% simply having no idea whether any such measures have been implemented.
In addition to the IT professionals who are very concerned about third-party risk, a further 33.9% feel somewhat concerned, with a confident 28.1% saying they are not at all concerned. While more than half (52.3%) of respondents have a process in place to control data flow between providers, only 35.1% actually enforce this policy.
Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (37.9%), followed by cyber insurance (24.3%), proven compliance (21.7%) and national accreditation (16.1%).
Recent research from the Ponemon Institute and SecureLink has found that almost half of all organisations have suffered a data breach via a third party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third party providers as they seek to streamline their operations, widening their attack surface.
Maxine Holt, Senior Research Director at Omdia, echoes the value of a full risk assessment for every provider, but recognises the difficulty in keeping on top of them all. “The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritise accordingly. Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Security policies for third-parties should be clearly defined, communicated, and understood, advises independent researcher David Edwards. “Additionally, data protection clauses must be incorporated into the overall contract,” he says. “Where data is processed outside the EU, model clauses should be used – including consideration for the supplier’s outsourced providers. Technical security controls should also be checked; for example encryption, access management and data loss prevention systems.”
Meha Shukla, Researcher with University College London’s Department of Security and Crime Science, believes organisations need to assess not only security risks, but also operational resilience and liability risks in the event of disruption of citizen-centric services. She says: “Assessments should focus on holistic operational risks, including physical locations, people, processes and cyber, for critical components of composite services in the entire ecosystem. The government needs to support third-parties in terms of an approach to a consistent benchmark and a roadmap for upgrading their capabilities. Organisations must also ensure that their risk reduction strategies do not stifle innovation.”
Nicole Mills, Exhibition Director at Infosecurity Group, says: “The security risks that lie within supplier ecosystems have been brought to the foreground in the last 12 months, with high profile breaches hitting SolarWinds, Microsoft, BlackBaud and Accellion. However, many organisations still appear to have no real control over what happens to their critical data as it moves along the supply chain. It’s no wonder concerns over third-party risk are so high. IT must put measures in place to control information flow and access, and carry out rigorous security checks and risk assessments before signing on the dotted line.”
The conference programme at Infosecurity Europe (13-15 July at Olympia London) will feature presentations, talks and discussions that provide valuable insight into reducing cyber risk, including within the supply chain. Relevant sessions include:
Keynote presentation: Enhancing Access and Control over your Supply Chains
Keynote Stage, Tuesday 13 July, 15:50 – 16:35
Jon Townsend, CIO, National Trust; Benjamin Corll, VP, Cyber Security and Data Protection, Coats; Robin Smith, Head of Cyber and Information Security, Aston Martin Lagonda Ltd; Peter Yapp, Partner, Schillings
This year’s Infosecurity Europe 2021 event will combine both physical and virtual elements, with selected talks and discussions to be made available online. Registration is open here, and details on the complete conference programme are available here. The event will be run in strict compliance with COVID-19 guidelines, and more information is available here.
In addition to the live event in July, Infosecurity Europe will be running an exciting virtual conference from 8-10 June 2021 focused on rethinking and regrouping as the impact of COVID-19 continues to become apparent. The full agenda is available here.
Drawing 2,596 responses, the Twitter poll was conducted during the week of 17 May 2021. Infosecurity Europe also interviewed its network of CISOs and analysts to gather their views on third-party risk.
– Ends –
About Infosecurity Europe
Infosecurity Europe, now in its 25th year, takes place at Olympia, Hammersmith, London, from 13-15 July 2021. It brings together information security professionals attending from every segment of the industry, as well the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at https://www.infosecurityeurope.com
About Reed Exhibitions Global
Reed Exhibitions is a leading global events business. It combines face-to-face with data and digital tools to help customers learn about markets, source products and complete transactions at over 400 events in 22 countries across 43 industry sectors, attracting more than 7 million participants. Our events leverage industry expertise, large data sets and technology to enable our customers to connect face-to-face or digitally and generate billions of dollars of revenues for the economic development of local markets and national economies around the world. Reed Exhibitions is part of RELX, a global provider of information-based analytics and decision tools for professional and business customers.www.reedexhibitions.com
About RELX
RELX is a global provider of information-based analytics and decision tools for professional and business customers. The Group serves customers in more than 180 countries and has offices in about 40 countries. It employs over 33,000 people, of whom almost half are in North America. The shares of RELX PLC, the parent company, are traded on the London, Amsterdam and New York Stock Exchanges using the following ticker symbols: London: REL; Amsterdam: REN; New York: RELX. The market capitalisation is approximately £33bn, €39bn, $47bn.*
*Note: Current market capitalisation can be found at http://www.relx.com/investors