What is this theme about?
Most organisations use an IT product or service provided by someone else. An example might be Office 365, a social media management platform like Hootsuite or a data storage solution like Google Drive. This product or service will inevitably interact with your IT network and organisational data. A security gap, or ‘vulnerability’ in the systems of one of your third-party suppliers, contractors or partners may undermine the security in your systems, no matter how good that is.
In addition to third party products and services, it is not unusual for an authorised person who is not in your company to access your company information. This might be because they are a consultant working on a job with you or they are a managed service provider (MSP) that help you with your IT. It is good practice to only allow third parties to access the information that they need and no more, and to regularly review what access they have.
It is recommended that you take these steps:
-
Know who your third-party suppliers and partners are and maintain a list of their up-to-date contact details.
-
For every third-party you engage with in a digital way, check out their cyber security measures. Security certifications are one way for an organisation to demonstrate they have met a defined standard of cyber security and are usually available to see on their company website in areas such as security certifications or trust centre. Look out for:
-
-
- IASME Cyber Baseline
- IASME Cyber Assurance
- SOC2
- COBIT5
- PCI-DSS
- ISO27001
-
- Have a process to understand and manage the access third parties have to your organisational data. For example, a register of admin and user accounts, who has them, when they are created, and when they are relinquished.
-
Conduct frequent reviews on the access that third parties hold. Eg who has an administrator account and what access does that give them? Do they still need that account and that access?