Data security and privacy are the foundations of today’s world. A world where the boundaries between business processes, people and technology are getting blurred. Organisations are facing a new reality in which they have little IT infrastructure and the biggest cyber security and data privacy risk is coming from vendors and third parties outside their control. Do you remember Target, Google Docs, Yahoo, AT&T and Play.com data security breaches? All of them have been a consequence of third party cyber security failure. Research indicates that approximately 70% of data security and privacy breaches are caused by third parties.
The scope of organisation’s digital risk is expanding due to the new digital business environment. An environment that consists of a broad external eco-system and high levels of emerging intersections between technology and the physical world, such as: intelligent chatbots, IoT and connected and autonomous vehicles. For customer-facing organisations like banks, publishers, insurance companies, and many others, this will be a big challenge. Digital business as we know it today is dependent on the use of third party services and software. From business intelligence and analytics to social media and marketing, many of these services are not provided by the organisation itself, but by third parties. Most of these organisations do not have a quick and easy way to gain instant and on-going visibility of their partners’ data security and privacy posture.
On 25th May 2018, on-going visibility of your third party data security and privacy posture will become paramount for organisations interacting with or serving European customers around the world. At that point the new EU General Data Protection Regulation (GDPR) will come into effect. Organisation that collect and process EU customers’ personal data, such as: name, address, email, financial records, IP address, etc., must obtain clear and specific permission to do so. The regulation requires organisations to institute strong data security and privacy measures. They must know where every piece of customers’ data is stored, where it came from and with whom it is being shared with, appoint a data protection officer and inform users within 72 hours of a data breach so they can take steps to protect themselves.
Organisations that fail to comply with the regulation could find themselves facing steep fines of 2% and 4% of total annual turnover. Accordingly, the likes of AT&T, Target, Google and Wal-Mart, could be fined between €53 Million and €5.83 Billion, if their third party acted negligent again and caused a data security breach. Consequently, organisations must not only protect customer data across their own IT environment, but also ensure that the processes and practices of their third parties are also secure and compliant with GDPR requirements.
Traditionally, third party risk assessments have been conducted manually, collecting answers in surveys and questionnaires via emails, spread-sheets and planned visits to third party organisations. This is an extremely labour intensive, highly time consuming and expensive process, which organisations oftentimes outsource to yet another third party! With this approach organisations, will never gain an on-going visibility and clear insight into their third parties’ data security and compliance posture. They will only gain a snapshot at the time of the assessment, which quickly becomes outdated and irrelevant due to system and/or business process upgrades. Accordingly, organisations will fall short across number of articles and controls in the GDPR and end up not being compliant as well as being at risk of business disruption, financial loss, reputational damage and huge fines.
Fulfilling GDPR third party compliance requirements requires a materialistic shift in how organisations assess the risk of their current and potential third party. Organisations must be able to have clear, comprehensive and frequent insight into their third party data security and GDPR compliance in order to align and reflect data security risks of their business processes, people, and IT infrastructure instantly.
At CyNation, we provide organisations with solutions that allow organisations to accelerate third party security and compliance risk assessment and monitoring to verify if their third parties are compliant with the GDPR and other industry standards, such as: ISO27001, ISO31000, ISO 27017, and PCI DSS.
Our cloud-based solutions automate and streamline the lifecycle of third party security risk assessment from distributing assessment questionnaires, responses monitoring, response aggregation and analysis, evidence collection and analysis, instant reporting and action plan generation. CyRegTM GDPR, relieve organisations from the tedious manual tasks of third party risk assessment, offering a systematic, step-by step approach to evaluate organisation’s GDPR readiness as well as quickly and accurately identifying data privacy and compliance gaps within the organisation and its third parties. CyNation’s Security Scorecard enables organisations to get in-depth insights into the cyber health of their third parties, including their supply chain, vendors or other parties.