Reducing data risk across the supply chain
Jeremy Hendy, CEO at digital risk protection company, Skurio, advises on how companies can reduce the data risk across a business’s supply chain.
Businesses of all shapes and sizes are reaping the benefits of interconnection and data sharing outside their own, protected networks. But these benefits come at a price, especially for sensitive assets like customer data. And that price is increased digital risk.
Even firms that have the best security defences for their own networks, have little control over the security of third parties they do business with. The bad news is that there could be hundreds or thousands of these partners each with their own network of connections.
It is through these connections that threat actors can slip into an organisation’s network and steal its sensitive data. They may attempt to sell this information on the Open or Dark Web. This means that businesses need to be able to identify, as a priority, if their data appears on the Open or Dark Web and where it came from. By doing this they will be able to track down any breaches and stop them. One of the most effective ways of seeing if an organisation’s sensitive information is running loose is with watermarked data supported by sophisticated monitoring services.
Taking third party risk seriously
Organisations need to be careful when sharing data with a third party. Contracts and policies should be drawn up that lay out the security requirements everyone must keep to. This would include what levels of risk are acceptable along with penalties for not doing what has been agreed.
However, according to the UK Government’s Data Breaches Survey 2019 less than one in five businesses (18%) demanded that their suppliers have any sort of cybersecurity standard or good practice guides. Staggeringly, the survey goes on to suggest that the main reason given for not worrying about breaches from suppliers is that it hasn’t happened before so why should it happen in future. But with the Ponemon Institute finding that six in 10 companies experienced a data breach through a third party in 2018, it won’t be long before many of those who didn’t check the security credentials of suppliers will live to regret it.
One option for dealing with a third-party supplier, is insisting that they have at least ISO 27001 accreditation. This ensures that the supplier has a framework of policies and procedures in place for its information risk management processes. These policies and procedures encompass all legal, physical and technical controls.
The price of neglecting diligence can be hefty. There is not only the cost of the breach, but reputational damage and a potential fine from regulators. Under the GDPR this could also result in a crippling fine of €20mn or four percent of global turnover, whichever is greater.
The third-parties’ supplier
Even if an organisation is certain of a partner’s security credentials, what about their partner’s network of suppliers? How secure are they? While an organisation can insist that their supplier must only work with those who meet minimum security standards, breaches can still happen. In 2019, five thousand organisations were the victims of a data breach through Korean biometric specialist Suprema. In all, the fingerprints of some one million people were stolen. These organisations had no direct contact with Suprema, but their access control provider Nedas used its technology. That is how the connection was made. This shows that even if an organisation is certain of a partner’s cyber defences, there is no guarantee that the partner’s supply chain has the same level of security maturity.
Monitoring and watermarking
In the event of a data breach, those threat actors that have stolen the information are likely to try to sell it online either on the Open or Dark Web. If an organisation’s specific data sets appear online, it is a clear sign that it has been breached. Yet finding and identifying this information is easier said than done. Businesses need to create detailed, real-time alerts for any datasets that are on its system. By doing this, security teams are automatically told straight away if this information appears anywhere on the web, so that they can take appropriate action. This can include tracking down the source of the leak, notifying affected customers and changing login credentials.
Businesses typically have data spread across many different third-party partners. This means that when a breach happens it can be a long, drawn-out process to find out where it came from. One of the best ways to identify if information belongs to the organisation and where it came from is the use of watermarking. This technique involves tagging data with a unique synthetic marker. As this is not found anywhere else, the synthetic marker helps to avoid false positives and categorically flags data as belonging to a specific organisation. If the source is traced to a third-party partner, an organisation can then notify them and ensure they take steps to rectify the situation.
Combining data monitoring with watermarking can dramatically reduce time to detection and minimise the number of customers that might be affected. As a consequence, the chances of losing customers, having negative publicity and receiving a fine are all reduced.
Jeremy Hendy, CEO, Skurio
Jeremy Hendy is the Chief Executive Officer at Skurio. Jeremy has more than 30 years' experience in high technology industries, working at companies including Texas Instruments, Symbionics and Cadence
For more information on all business in Europe, please take a look at the latest edition of Business Chief Europe.
Like what you see! Signup for our weekly newsletter