Disruptive Seasons Spring 2022 – Robert Batters and Data
Robert Batters: Hello. I have a question for you. Who’s looking after your data? I mean, right now? my name is Robert and I’m the director of Managed and Technical Services at Northdoor PLC. And if you’ll indulge me, I’ve got some other questions for you. Do you have full…
Robert Batters: Hello. I have a question for you. Who’s looking after your data? I mean, right now? my name is Robert and I’m the director of Managed and Technical Services at Northdoor PLC. And if you’ll indulge me, I’ve got some other questions for you. Do you have full control over every element of the service or product you deliver that’s from A to Z from start to finish? Do you use partners to deliver your service or your product? Perhaps just as importantly, that they use partners to deliver your service. Do your partners and theirs handle your data? Do you know how good their security is? All of which leads to the most important question. Can you trust your supply chain and can you trust it with your data? Before I attempt to answer that. Let’s put this into some context.
The UK’s National Cyber Security Centre has issued an alert. Now are warning businesses that there is an increasing threat of ransomware-type cyber attacks. The last two years have seen a real increase, both in their number and indeed the sophistication. A good example is the double extortion attack that sees cybercriminals not only steal a company’s data but also threaten to publish it. Now, this can be particularly effective in targeting a certain sector where the data is incredibly sensitive. So if some part of your supply chain has access to your data, then this represents a risk that you need to consider and you won’t be alone in that.
Now, of course, as a consequence, it follows that supply chains are an area of real interest for cybercriminals. Such people are always seeking less well-guarded entry points into networks and systems. You may have been through your own security with a fine-tooth comb, but what about the other guy? You know the one. He’s the guy who does a great job for you. Never fails. But is his business a secure resource? Do you know? It’s clear that businesses need to do more to ensure that they have an insight into the vulnerability of their supply chains and that any gaps in security are plugged for too long.
Trust between partners in a supply chain has been based on perception rather than hard fact. There’s quite a natural assumption that every member of the chain is competent to deliver the tasks that it says it can. You may have been doing business with your partners for years and for the extra peace of mind. Maybe you prepare and issue, maybe questionnaires and spreadsheets like that, and even maybe take up references with third parties for reassurance. But ultimately, your partners are asking for your trust.
There’s also the matter of the integrity of every member of the chain. Simply put, there’s an assumption that they will fulfil their promises. This is usually taken as a given and it’s regularly based upon your own experience with them. I mean, that’s great, but as they say, past performance is no guarantee of the future. No such intangible measurements cannot ensure that your partner is looking after your data. It can’t ensure that they pay as much attention to their own cyber security as you do to your own. The possibility exists, therefore, that trust without evidence could result in an open back door into your very own infrastructure. There has to be a better a more comprehensive approach to securing supply chains. Something else to consider is our old friend GDPR.
Now, as a result of GDPR, any supply chain partner working for you with your personal data in any way at all becomes your data processor. Now. Therefore, it is a regulatory requirement to have the right to audit their i.t service as part of your contract. In my experience, I’ve been working with my own business partners to that end, and some of them I spent some time going over my own security arrangements, and we do that as an in-person scheduled event. We treat it as a mutual exchange of what we see going on in the world, and we agree to make changes as the world changes around us.
Now, some might consider such a meeting and meeting to be an ordeal to be endured. But it’s really not about the examination. It’s about a process, an ongoing process with a regular checkpoint, about how are we doing? How can we do this better, and how can we do this together? Now, quite often you’ll find that an art audit takes the form of a self-certification spreadsheet. Perhaps your partner fills in a form once a year. Now, not everyone has the time to sit down and examine everyone else’s security systems with fine detail. So while questionnaires of this form still have their place in supplier governance, they cannot offer a true reflection of the state of a partner’s I.T. practises and cyber defence capability as a point in anything more than a point in time. So what’s the solution? Ransomware and other tech attacks are not going to go away. A brief look at the headlines will confirm that it’s a turbulent old world out there right now. However, it’s not all bad news unless some help at hand.
The NCC is a really good source of information on their website. You’ll find there 12 principles of supply chain security. And if you’ve got the time to take a look, I do recommend it. It’s a very, very good read. Furthermore, it has recently launched its Ransomware Hub, a place to learn about the threat of ransomware and what you can do to better secure your data. Now, it’s widely agreed that education plays a key part in preventing attacks. Indeed, this goes beyond the simple past classroom presentation to the more practical one. Some anti-phishing solutions offer not just filtering, but also email alerts to educate the end-user about the likely veracity of the very email that they are looking at. Others provide the ability to deliver custom phishing simulations so we can test our users and learn them the way they work, and for them to learn more about phishing and what they can do about it. Above all, it’s important. We keep talking about the threats we face, both employee to employee and partner to partner.
Some businesses are turning to AI-powered software that allows companies to gain a 360-degree accurate view of not only their own security, but the entire supply chain from A to Z from start to finish, giving them a real insight into possible vulnerabilities which otherwise may well have been missed. So I asked a question. Can you trust your supply chain and can you trust it with your data? You will be able to give a much more confident answer to that question if you gain an informed and clear view of possible gaps in security throughout the supply chain. The need to close these gaps should become a mutual challenge. Working together for the common good towards a secure relationship and a matter of ongoing conversation between partners, maybe even a contractual obligation. The back door that so many cybercriminals are looking at to access and exploit them becomes just that little bit less attractive. Come on, everybody. Let’s close the door.