By WAYNE RAMSAY – Global Chief Operating Officer
Wayne Ramsay COO, Exigent Group, explains why procurement teams sharing data with third parties is a strategic consideration.
Copyright: tec_estromberg
Amid the recent high-profile hacking incidents (Sony, Ashley Madison), it is no surprise that information security is being scrutinized. The reality is that the pace at which we are digitizing information is increasing by the day. The implications of which means more and more of your information, whether inadvertently or through a malicious attack, can end up in the wrong hands. Across the globe and irrespective of industry, data loss, whether leaked, lost or stolen is a genuine issue.
McKinsey suggests that many companies are not only struggling to deal with the challenges of protecting their data; they are also at a loss to understand where it is and who has access to it. Leaving a laptop on a train, misplacing a USB drive or having a disgruntled employee publish or sell sensitive information is as much of an issue as an external hacker breaching your firewall. Protecting your data extends way beyond firewalls and intrusion detection. Yes, perimeter hardening is necessary and in some ways easier to implement, monitor and manage. According to an IB article (Sony, Ashley Madison), John McAfee believes Ashley Madison’s breach was the result of a disgruntled insider. A claim, I might add, he made about the ‘Sony hack’ of 2014. Although formally rejected by the FBI, there were some experts who came out in support of McAfee’s postulations. Irrespective of who or how, what has become clear is how, for instance, naïve Avid Life were with their password enforcement policy.
Dan Goodwin highlights how CynoSure Prime were easily able to crack the Ashley Madison passwords due to weak encryption, poor password policy and laissez-faire password enforcement. Just under half the passwords cracked thus far reveal a poor understanding of digital hygiene. However, due to the nature of the Madison attack, password strength would have offered minimal if any additional defense. That said, it was evident (see below) that in this case information security was way below the expected standards and not appreciated or understood.
The top five passwords discovered to date are:
- 123456
- 12345
- Password
- DEFAULT
- 123456789
Data protection needs to be a strategic play and the first agenda item for the Board. What is more, the value of putting suitable information security measures in place to mitigate any risk needs be clearly understood and positioned as a USP. As the consequence of having vital information leaked within the public domain, especially for clients, is a violation of your obligations and carries with it severe repercussions. Furthermore, exposing your enterprise to litigation, fines and sanctions translates to loss of market share and erosion of shareholder value, often irrevocably damaging to brand and reputation.
Procurement is often blindsided as to the integrity of their data with third-party suppliers. Today we know that enterprises are increasingly reliant on third parties to provide scale, reach and agility. Suppliers are an extension of your business and of key strategic importance. Process and policy should be in place to ensure that your data which lies with the supplier is being protected and maintained at the agreed level of information security and service delivery tabled within your supplier agreements. Categorization and management of your data are key to understanding how to protect it. Information security is about protecting your data; placing a value on it; establishing who has access to it and what the impact would be to your business should it fall into the wrong hands.
In fact, the management of third parties has become crucial enough for the International Standards Organization to include an annexure within its Information Security Management Systems Accreditation 27001: 2013, solely for the purpose of managing Infosec between principal and third parties. With the principle areas of concern being: access to confidential information, the integrity of the data being made available and the exposure of your information to the general public; screening protocols during the procurement cycle, as well as ongoing audit processes; training and education of existing and new policies and legislation; access control, who what and when; contract clause compliance and enforcement of the terms within your agreements.
Exigent design bespoke Infosec and contract lifecycle management solutions, using its Chameleon contract management tool and accredited ISO professionals. Our service gives procurement sight of the flash points in a contract, aids the management of service delivery to expected levels and monitors security controls using industry specific gap and risk analysis methodology. We believe it makes perfect sense from both a legal and commercial perspective to understand and manage the Infosec risks to your organization and provide greater control over them.
Visit our Chameleon solution to see how can we help
Share Your Thoughts:
