With the GDPR compliance deadline of May 25 almost upon us, recent events have highlighted the importance of locking down third-party risk. Attacks on supply chain partners, Facebook’s data leak scandal and a new report from the National Cyber Security Centre (NCSC) have all come at an opportune time to illustrate the potential liabilities facing firms.
The GDPR will require much stricter due diligence and new contractual provisions between data controllers, processors and other third parties. Access controls in particular should be front and centre when dealing with suppliers. This is an opportunity to differentiate on improved security, so grab it with both hands.
A complex web
Our modern digital world is increasingly built upon a complex web of supply chain inter-dependencies. Yet this complexity exposes gaps, which attackers are more than ready to exploit — to devastating effect in the case of the 2017 NotPetya ransomware campaign.
Partners and suppliers can introduce risk in a number of ways: malware on the laptop of a contractor which connects to the corporate network, for example, or perhaps network log-ins stolen from a third-party employee to access your customer databases and IP stores. This is what happened to US retailer Target in an infamous 2013 breach affecting 70 million customers.
Earlier this month, multiple US gas pipeline companies were hit after an attack on a third-party “electronic data interchange” (EDI) services supplier. The supply chain risk is so great that it has even warranted attention from the NCSC, whose report claimed:
“When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect. Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers – or indeed to prove that any potential access has been exploited.”
Third party risk is everywhere, and if not managed correctly, it can end up in a serious security incident or breach. Facebook’s current challenges highlight just how high the stakes can be: in this instance it was more a process and Terms of Service failure, but nevertheless the firm has paid dearly in terms of a share price dive and user attrition.
Fortunately, the GDPR has plenty to say on the matter.
The new EU privacy legislation will hold both the data controller and processor (i.e. cloud service provider etc) responsible for any breach. The law has been designed explicitly to drive greater accountability and transparency in how personal data is used by companies. Thus, organisations must revise their contracts with suppliers and partners and audit them for GDPR compliance.
Any plans should probably include the following:
- Carry out full audit of the supply chain. Understand what data is being processed, by whom and what controls are being enforced
- Draw up new contracts to gain assurances that any third parties will be GDPR compliant by 25 May, and that they won’t outsource any GDPR-scoped work without approval
- Contracts should detail what data will be shared, what it can be used for, how long stored for and how it will be disposed etc
- They should also ensure that appropriate security controls are in place — enforcing the same baseline security standards as your organisation
- Also consider background security checks on employees in contracting firms
- Understand where your suppliers’ datacentres are located and the rules around data transfers outside the EU
Focus on access management
It’s obvious from the above that much of this compliance work will revolve around enforcing minimum security standards on your suppliers. According to the NCSC, organisations should mitigate supply chain risk by:
- Understanding the risk
- Establishing control
- Checking your arrangements
- Continuous improvement
As mentioned, one of the key ways that partners could expose you to cyber-risk is if they are compromised, allowing attackers a stepping-stone into your organisation. The GDPR is relatively generic in terms of the advice it offers organisations on cybersecurity, stating only that they should consider the “state of the art” and “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
This means in practice following established frameworks like ISO 27001, or advice from the likes of the NCSC, which urges firms to mitigate breaches by protecting endpoints, networks and the information itself. On the latter, it advises that organisations:
- Implement a policy of “least privilege” for all devices and services
- Use multi-factor authentication to protect sensitive information
- Ensure that all services are protected by strict authentication and authorisation controls
At Centrify, we fully agree with this assessment. With 81% of breaches involving weak, default, or stolen passwords, it’s clear that organisations must take a Zero Trust approach to access security. This means assuming an “always verify” stance, both for user and device, granting “just enough” access, and utilising the power of machine learning-based IAM systems. These can adapt over time to get more accurate about making risk-based access decisions, for maximum security and minimum user friction.