CHAPTER 8: INTERACTING WITH PARTNERS AND SUPPLIERS – Managing Information Risk: A Director's Guide


The world is fully connected and it’s impossible not to interact digitally with partners, suppliers and, often, customers. Yet those partners present a very real threat to your business. How frustrating, if you have undertaken all the necessary risk management, only to see the house of cards knocked over by a clumsy partner with sloppy security.

It’s a problem that’s mushrooming as digital handshakes become the norm. According to the Ponemon Institute’s 2008 Cost of a Data Breach report, since 2005 the percentage of incidents where a third party, such as a consultant, was responsible for a data breach has increased from 21% to 44% in 2008. Those mistakes are more expensive too – the per record cost of a third party data loss is $52 more than a data breach with internal responsibility.

So, third party security is almost as important as your own – and more difficult to control.

You need robust documentation about the standards you expect from data-sharing partners, including what standards you expect them to meet. Consider doing business only with companies that have proven system accreditation to recognised standards.

The expected standards, and the consequences of failure to meet those standards, must also be contractually clear and you need a plan for measuring the performance of the third party against the expected standards. Prepare financial penalty clauses and ‘right to terminate’ terms, something which transfers some of the risk to suppliers.

Your organisation needs to be clear from top-down just who owns the data that is being shared, or who is responsible for systems that are located elsewhere. Ensure that all staff know exactly what information they can share with third parties, and to report back if the third party requests information outside its remit.

The supply chain is another potentially weak link in your carefully planned risk avoidance fence. The supply chain is a disorganised line of people, and malicious activity at any point in the supply chain poses downstream risks to the business processes that are supported by those information systems.

These risks include:

• The introduction of vulnerabilities into information systems.

• Difficulty in determining the trustworthiness of information systems because the security controls necessary to ensure adequate security are inadequate.

• Inability/difficulty in determining the trustworthiness of service providers that provide the security controls necessary to ensure adequate security.

These remote threats pose significant challenges, and organisations need to consider just how they can safeguard against malicious attacks that are conducted many miles away. Safeguards against these threats, as stipulated by the NIST, include:

• Investigating the provenance of the information technology products and services provided.

• Using a diverse set of suppliers to minimise the adverse effects from a particular bad apple.

• Seek transparency in product design.

• Minimise the time between decisions to purchase information technology products/services and the actual delivery date of the products/services to reduce windows of opportunity for malicious activity by adversaries.

• Order standard configurations of information technology products and systems to reduce the probability of malicious code insertion.

• Testing newly acquired hardware against unauthorised, covert modifications.

• Reduce the insider threat during information system upgrades, or when replacing information technology components, by using different system administrators at different points in the layered defences of organisations.