As the recent attack on the Association of British Travel Agents (ABTA) shows, it's clear now more than ever that the details of thousands of consumers are vulnerable to cyber-criminals. To combat and ultimately avoid suffering the same fate as ABTA, what can organisations do to prevent criminal access and theft to data and save reputation in the process?
Reliance on third party hosting providers, who can deliver the IT capabilities and expertise that a company does not have internally, can be one way of adding security measures. But it is important to remember that a company partnering with a hosting provider only has security capabilities as high as that of the provider. So, what should service level agreements (SLAs) look like, and what key security features should companies consider when choosing a hosting provider?
As GDPR begins to loom breaches are set to become even more damaging for brands. The introduction of a name-and-shame mechanism will obligate companies to notify regulatory bodies in the event of an attack, as well as those affected, leading to greater public scrutiny. Under Article 32, organisations in control of data will have no choice but to communicate the nature and extent of breaches to the parties concerned immediately, and a lack of cooperation could also result in heavy financial penalties.
If a company does choose to outsource its IT management, it will also become illegal under GDPR not to have a formal SLA in place with the third-party service provider. Organisations need to ensure that contract agreements and procedures are in place to detect, report and defend against cyber-attacks.
In the case of ABTA's breach, there are lessons to be learned. If the breach had occurred post-GDPR implementation, and the stolen data been rendered unintelligible through encryption, for example, the company would not have had to notify data subjects of a breach. This is because the company will be perceived to have “implemented appropriate technical and organisational protection measures” to ensure that data is unreadable, and therefore useless, to any person who is not authorised to access it. Companies looking to protect their credibility as well as customer data in the run up to the new legislation should seek to include data encryption as part of their SLA with a managed service provider. Many third parties will offer this value-add service as part of a wider security offering.
On top of this, companies that entrust their infrastructure to a third party should also expect additional security services, including:
- Continuous vulnerability testing of possible entry points for attack
- Intrusion detection systems for 24/7 real-time network threat awareness
- Two-factor authentication to significantly reduce the risk of compromised data
So, what should companies do if they are unhappy with their current third-party agreement? If there are multiple breaches and/or failures of the SLAs, then any company that is contractually bound to a third party should be free to terminate the contract without contention. Some may even offer the ability to audit agreements, depending on the provider and the term of the contract in question. However, many contracts will be non-negotiable until the renewal stage, which is why it is so important to set out the correct levels of service required of the company - and the upcoming GDPR legislature – at the beginning of the contract.
Ultimately, while working with a third-party service provider can bring great business benefits, it can also open up organisations to vulnerabilities. By entrusting IT supervision to an outside entity – albeit a professional in the field – a company is also creating distance between itself and its data security, and full assurance in its welfare should be guaranteed. This is why it is important to ensure your chosen third party provider has the necessary security tools to abide by upcoming law changes, as well as comply with internal service level aspirations within a set of comprehensive SLAs.
Contributed by Jon Lucas, director, Hyve Managed Hosting
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.