Security risks from third parties are on the rise. A 2017 study from Ponemon Institute found that 56 percent of respondents admitted to a security incident caused by a third party, an increase of 7 percent over 2016.
This is a concern at any time, but with GDPR now in place, security of third-party vendors and consultants is more important than ever. Their security failure will end up costing your company money if it results in a breach of your data.
So how do you approach third-party security in a GDPR world? The first step, according to Darron Gibbard, chief technical security officer EMEA at Qualys, quoted in a Helpnet Security article, is to create a tier of your vendors and other outsiders with access to your network. These tiers are based on the level and volume of data they have access to, determining which are the most critical. To do this, your risk team should send questionnaires to everyone who has any access to get an accurate understanding of exactly what information they can access, why, and how often. With this information in hand, you can then develop an accurate response plan, focused by those tiers you created. You may also be able to revamp the amount or type of access some of the lower tiered-companies have.
Also, if you haven’t done so already, Larry Lunetta, VP of marketing for security solutions at Aruba, a Hewlett Packard Enterprise company, reminds us that your GDPR preparations should also take into consideration your third-party vendors. For example, when establishing a dedicated Data Privacy Officer (DPO), that person will help the company meet GDPR requirements and should keep tabs on third-party practices and data systems as they affect your business. Lunetta added:
To support the DPO with additional expertise on making decisions such as, “We need X solution to address Y compliance/security requirement,” it’s imperative for IT security teams to conduct regular self-assessments for uncovering gaps and determining options for remediating them.
Lunetta added the following tips for ensuring that your third parties are staying in GDPR compliance:
- Address cybersecurity governance because while it’s one thing to invest in security solutions that help address personal data protection, it’s another to use them in a manner that is also GDPR-compliant.
- Access Policy Governance – Having robust access controls isn’t good enough to comply with GDPR. Instead, you also need a set of policies that can be defined, implemented and enforced around how your enterprise controls access to personal data.
- In addition to governance around individuals who can access personal data as a requirement of their job function, pay attention to privileged users, such as systems administrators, who can circumvent standard controls inside of an application or a database. It’s imperative to identify these users, establish governance controls, and implement enforcement mechanisms through technology solutions such as network access control.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba