Industry interview: Late to the third-party?
By the time you read this sentence, the European Union’s General Data Protection Regulation (GDPR) will finally have been actioned and be in full effect. Law firms, like everyone else, are now required to demonstrate effective processes in their handling of personally identifiable information (PII) data, or themselves risk both the highly publicised new financial penalties and (harder to measure) potential long-term brand damage.
Sean O’Brien, managing director of DVV Solutions, says one key area of due diligence at most risk of underinvestment is the requirement to thoroughly risk-assess your full data supply chain. “As businesses outsource an ever-increasing number of functions and services – albeit for justifiable commercial efficiencies – their level of exposure to cybersecurity risk significantly increases while their control of it diminishes.” “Businesses show a tendency to prioritise the risk of penetration into the organisation through more direct means of attack, focusing expenditure on securing devices and internal networks,” he explains. “While third-party risk is often recognised, the time and resources applied to it are disproportionately low.”
This is backed up by research. For example, Bomgar’s 2018 Privileged access threat report finds that two-thirds (66%) of businesses claim they could have experienced a breach due to third-party access in the last 12 months. And although three-quarters (75%) of businesses have seen supplier access to their networks increase, a third (33%) believe they spend too little time on monitoring third-party access. “The problem is immaturity of process,” says O’Brien. Businesses just aren’t approaching risk in the right way. Ask yourself: What percentage of our data processing do we perform ourselves, and how much is outsourced? Then, critically: Is our spend on understanding and mitigating risks to our data and systems from third parties proportional?”