Embedding safety culture and behaviour

In times of uncertainty we can see that demand for information security and risk management is increasing daily. How is our volatile, uncertain, complex and ambiguous (VUCA) world impacting healthcare services and companies that need to adapt to it?

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

Therefore, it’s important to ensure that information risk is managed properly, and one way to do that is to embed safety culture when working with suppliers.

There is a risk to business activities if information becomes disclosed to those not authorized to see it, or if information or systems fail to be available or are corrupted.

It is therefore important that we take the appropriate security precautions to ensure that the third-party suppliers we work with have the right measures in place to protect the confidentiality of and ensure the integrity and availability of information.

Based on this Ponemon Study, more than 56% of organizations claimed that they have had data breaches in the past two years that can be linked to third parties. On top of that, 6% were unsure if they had suffered a data breach at all.

What we can do to ensure that we have effective, preventive controls in place:

  1. Assess supplier networks
    1. Consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise. 
  2. Know your risks
    1. Identify your most valuable assets, such as intellectual property, proprietary information, and customer and employee personal data.
  3. Include third parties in your remediation plan
    1. Don’t assume that suppliers will handle everything for you.

Once we understand what assets we need to protect, it is easier to assess the risks. We must also remember to form partnerships with providers to ensure that value from services will be maximized and at the same time, both parties will be accountable for protecting critical data.

But how should we mitigate the risks, as the question is not if but when a breach will happen?

  1. Contract
    1. Security and risk mitigation requirements must be included in an organization’s contractual agreement with third-party vendor and service providers.
  2. Incident Response
    1. Does the service provider have an enhanced and up-to-date incident response plan? Does the third party test the resiliency of the plan and go through simulated tabletop exercises?
  3. Assessment
    1. Accept standardized questionnaire content based on known best practices security frameworks (i.e. ISO 27001, NIST)
  4. Penetration tests
    1. Look for vulnerabilities, such as unapplied patches and potential attack vectors, that could put your data at risk.
  5. Strong Access Controls
    1. Where possible, ensure vendors are using your systems and relevant controls to access your environment.
  6. Minimize risky providers
    1. Continuously monitor the cyber posture of the supplier and receive live alerts on any significant changes.

There’s too much at stake right now, so one of the things we can do is to raise awareness, build community and ensure that continuity of services will be maintained.

This post was authored by: Radoslaw Gnat