Information Security / The biggest challenge for GDPR compliance: Controlling suppliers
The biggest challenge for GDPR compliance: Controlling suppliers
7 May 2018 |
Back in November, Kaspersky Lab revealed how inappropriate handling of sensitive data by third party vendors had cost businesses over £1.2 million.
"Raising IT security budgets is only part of the solution, as the most staggering losses stem from the incidents involving third parties and their cyber-failures.
"While cyber security incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage," said Alessio Aceti, head of the enterprise business division at Kaspersky Lab.
A new report from security firm UpGuard has revealed how third-party vendors pose the greatest challenge to businesses across Europe who are struggling to comply with GDPR which will come into force on 25th May.
The firm said that complying with GDPR will not be limited to securing endpoints and perimeters as the new regulation will be centered around the security of data, even if its in the hands of a vendor. Today's enterprise technology ecosystem is such that it involves a complex interrelationship of hosted and managed services, in addition to traditional on-premise network and data center architectures, and all of these will need to be secured in order to comply with GDPR.
"The heavy GDPR consequences for data exposure make third-party data handling a significant business risk, one that must be dealt with proactively, and with the same care as any serious financial risk to the organization," it said.
Learning from past breaches
While businesses need to act fast to ensure their vendors who handle customer or enterprise data are taking the required steps to prevent the leakage of such data, they should also learn from the experiences of firms who have suffered breaches in the past due to irresponsible handling of sensitive data by their third party vendors.
For example, in September last year, TigerSwan, a private security agency in the U.S., suffered a major data breach incident after a third party vendor hired by the firm uploaded sensitive details belonging to thousands of security officials to an unsecured Amazon S3 cloud server.
In November, it came to light that the Department of Social Services (DSS) in Australia suffered a major data breach incident after personal details of 8,500 current and former employees were exposed by a third-party contractor. The breached data included names, usernames, passwords, addresses, credit card information, e-mail addresses, Australian government services numbers, public service classifications and organisation units of 2,000 current and 6,500 former employees at the Department of Social Services.
In February this year, Swiss telecom major Swisscom announced that it suffered a major data breach last year after 'unknown parties' gained unauthorised access to data stored by a sales partner. The breach compromised 'non-sensitive details' of 800,000 mobile and fixed line subscribers like first and last names, home addresses, dates of birth and telephone numbers.
Proactively ensuring vendor compliance
UpGuard had also previously stated that if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to third party vendors lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
The firm has also said that enterprises and their vendors must share equal responsibility to ensure the security of sensitive data against exposure to the wider internet. Such responsibility will ensure that third party vendors will no longer be the weakest point in an organisation's cyber defence system.
It added that companies should take several steps such as carrying out independent external assessment, creating vendor questionnaires, and carrying out data breach audits to proactively reduce the risks that third parties pose in their data handling capacity.
While independent external assessments will ensure that vendors follow best practices against common threats and breach vectors, questionnaires will give an enterprise full visibility into how vendors store and process data, and data breach audits will reveal existing vulnerabilities before the same are exploited by malicious actors.
"Managing an infrastructure that extends beyond the borders of your data centers is a difficult process, but it is one that you can get your arms around by taking proactive measures to ensure your vendors are up to snuff and that your data is not exposed," the firm added.
Latest posts by Jay Jay (see all)
- A third of UK businesses still struggling to process data access requests - 23rd May 2019
- TalkTalk failed to inform 4,545 customers that they were victims of 2015 breach - 22nd May 2019
- Google stops Huawei’s access to Android updates and Google services - 20th May 2019
- Ten cyber criminals behind GozNym malware operations indicted in the US - 16th May 2019
- Less than 1% of data breach investigations by ICO resulted in monetary fines - 16th May 2019