Effective Third Party Security Contracts

The InfoSec Consulting Series #7

By Jay Pope


The rise of outsourcing and strategic business partnerships, together with the increased use of third parties to provide cloud-based data storage and applications, carry major security risks for organisations. Below, we look at how risks arise, what kind of cybersecurity professionals an organisation should have on board, and how effective Third Party Security Contracts need to be put in place to cope with this increasing threat.


Cost of Data Breaches

For the past 13 years, IBM has sponsored a study into the cost of data breaches to companies and organisations. The study is carried out by the independent Ponemon Institute. The 2018 report disclosed that the average cost of a data breach has risen 6.4% over the previous year, the average reported cost was $3.86m.  The study indicates that the world-wide average cost associated with a data breach has increased by 6.4 percent versus the previous year to $3.86 million. The average cost associated with each record containing sensitive and confidential information similarly increased, by 4.8 percent to $148.

Add to this the significant sums that a company may have to pay if it is found guilty of a data protection breach under the General Data Protection Regulation (GDPR). For repeat offenders, with the most serious kind of breach, the fines can reach 4% of annual global turnover or 20m euros, whichever is the higher.  Unfortunately, the costs don’t stop there. Add in reputational damage and lost future business too.


Third Party Suppliers & Data Breaches

Another report also carried out by the Ponemon Institute, was sponsored by risk advisers and looked at the incidence of data breaches by third-party suppliers. The researchers spoke to 598 professionals in multiple industries. The figures were alarming; from the 40 percent of respondents who felt a supplier wouldn’t tell them if they breached the security of confidential information, to the 49 percent who reported there had been a data breach at their organisation.

There are notable rises too in the security problems which involve third-party vendors. 73 percent of the survey respondents thought that they were becoming more frequent. There was also general agreement that, when it came to protective monitoring, it was difficult to manage vendors. It’s plain that many respondents don’t have effective Third Party Security Contracts that could reduce risks and allow swift and effective management of any that do materialise.

There is the further complication that many vendors sub-contract the work. The term “nth party” has been coined to encompass the fact that an organisation may unwittingly be allowing indirect data access to people over whom it has no control. The problem is compounded by remote working, where people may not meet and where the originating company has no idea whether any data protection measures are in place in home offices or remote working hubs.


Taking Back Control

One of the problems with running effective security in organisations is that unless people are specifically identified as responsible, governance can become blurred. Take the case where a business unit is running a project to implement new software and intends to supply user data for testing to a third-party vendor who is writing the application.  Before the IT department is even aware of it, a disc containing confidential data is in the post to the vendor, who then sends it on to a subcontractor working from home. However, the vendor will have a contract with the business, and this must be specific enough about contractual security obligations that the vendor won’t risk this kind of shortcut.


What Kind of Professionals are Required?

Most IT departments don’t have the resources to send someone to sit on every project team and keep an eye on what they’re doing with their data. The risks need to be managed in two ways; through meaningful service level agreements (SLA’s) with vendors, and through recruitment of the kind of professionals who understand both the technology and the risks.

The job of heading the team requires an individual who is senior enough to influence discussions with senior executives, audit policies and procedures, coordinate intelligence, develop strategies and pause if any activity is putting the business at risk of a data breach. They’ll be responsible for enforcing security KPI’s.  Both network and endpoint security tools need to be deployed and the senior manager will also have to be an influencer, capable of developing a security awareness culture in the data owners and users.


Amending Third Party Contracts

Working to this strategic lead, the security team needs to draw on the expertise of a procurement professional who can specialise in drawing up Third Party Security Contracts with third-party vendors. The third-party-security-contracts may require an additional schedule, detailing the policies and procedures vendors must follow. These should include clauses that facilitate the reachability of your protective monitoring (Cyber Access), and if your tools need access to config files then there needs to be a clause to support that requirement. Standard clauses should define whether subcontracting is allowed and state the screening that the vendor’s employees must undergo before they are allowed access to systems. There should be specific restrictions as to how and where systems can be accessed and key risks such as test data should be separately addressed. In this way, contractual security obligations become legally enforceable.

Lastly, cybersecurity engineers can develop the solutions that remediate any cyber threats. They should be people who have an appreciation of the way in which the threat is evolving and the new solutions that are becoming available. They’ll be responsible for testing the effectiveness of the security infrastructure, ensuring compliance, identifying faults and rectifying them, as well as acting instantly if a threat materialises without warning. And they’ll also advise the procurement professionals on specific measures that are relevant to each vendor’s work and should be included in the contract documentation.  The cybersecurity threat will continue to evolve, and businesses must demonstrate that they are being vigilant in protecting data.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.