Third-Party Risk and the Digitisation of the Public Sector
The public sector handles some of the most private and sensitive personal data, including financial, health and social security records, and citizens have the right to expect it will be managed as safely and securely as possible. At the same time there is an ever-increasing demand for digitised, on-line and mobile-enabled services that depend on outsourced IT services and data processors who offer significant cost-efficiencies and expertise in project delivery.
Given the volume of electronic data traveling through these extended “data supply chains” Government bodies are facing a huge expansion of their threat landscape and unprecedented increase in risk. Recent high-profile breaches such as those at Carphone Warehouse, Ticketmaster and British Airways highlight the risks presented by third-party applications, IT management and data processing as they offer new and potentially softer points-of-entry for threat actors to exploit – be it for disruptive, financial or political gain.
For example, organised crime is increasingly targeting public sector organisations due to the value of the data within personal records and critical nature of system up-time making them prime targets for being held for ransom, should an attack be successful – most notably highlighted by the 2017 NHS WannaCry attack.
Ensuring the integrity and security of outsourced IT models for national and local Government bodies has therefore become an essential task for governance, risk management and compliance (GRC) functions and project teams – though it continues to be one of the areas of due diligence that could be the most at risk of underinvestment.
Third Party risk and regulatory compliance converge
The legal framework governing the use of PII data is complex. It includes the Health and Social Care Act 2012, the Data Protection Act, EU GDPR, PCI DSS 3.2, and the Human Rights Act. However, one thing remains constant – the need to ensure you have performed the highest level of due diligence and IT risk assessment when selecting and working with any third-party supplier.
In addition, regulators are now increasing the level of scrutiny placed upon individuals within organisations. The FCA’s Senior Manager and Certification Regime (SM&CR) that enforces senior manager/executive accountability for all aspects of risk and compliance is a clear sign of things to come.
The result is, you can no longer put off addressing your responsibility to fully understand exposure to third-party risk, says Sean O’Brien, Managing Director at DVV Solutions. “Public Sector bodies and organisations are no different to most businesses, showing a tendency to prioritise the cybersecurity risk of penetration into the organisation itself through relatively conventional and direct means of attack,” he explains. “and while we find third-party risk is often recognised, management time spent on it is disproportionately low.”
This is backed up by research. For example, Bomgar’s 2018 Privileged Access Threat Report finds that although three-quarters (75%) of organisations have seen supplier access to their networks increase, a third (33%) believe they spend too little time on monitoring third-party access. Additionally, two-thirds (66%) of them claimed that they could have experienced a breach due to third-party access in the last 12 months.
“Boards consistently spend millions on tools to secure themselves, their networks and their premises. However, many have spent next to nothing on understanding how any outsourced service providers are protecting their data, alongside the additional risk domains they represent.
“The problem is one of immaturity of process and risk mindset. Ask yourself: What percentage of our data processing do we perform ourselves and how much do we outsource? Then, critically: Is our spend on understanding, managing and mitigating the risks to our data and systems from third-parties proportional?”
Mind the risk intelligence gap
There may also be a structural issue in play. “In the public sector we often come across decentralised procurement processes where due diligence is not always applied consistently or to sufficient depth. Where it is applied it can be very late in the supplier onboarding process and seen as merely a box-ticking exercise. Centrally, senior leaders and risk managers may not even know who all their suppliers are, what services they provide and what levels of access they have. Clearly that makes it impossible to get a firm grasp of risk and the regulatory compliance of the supply chain.”
Rectifying a situation like this can also be a big change-management effort. “We know it can be hard to persuade key decision makers and operational owners to relinquish control in other areas of management, but regulations such as GDPR raise the stakes and are bringing a more measured approach from the top down,” he says.
“When outsourcing a process involving PII data you need to evidence responsibility for how that data will now be managed in a contractual form,” he says. “We’re not lawyers but we would expect to see certain key terms in that contract including the ‘right to audit’.”
There are also key understandings to be reached in said contract, such as jurisdiction of data storage, access rights, and any further sub-contracting that will occur. “You may find you’ve fourth or even fifth parties to consider, with liability reaching right down that chain,’ says O’Brien.
GDPR has definitely been a game changer. Public Sector organisations, like everyone else, are now required to demonstrate effective risk management processes in their handling of personally identifiable information (PII) data, or themselves risk both the highly publicised new financial penalties and (harder to measure) potential long-term reputational damage as a result of a data breach.
“People should be responding to the threat of those very large fines to drive a third-party assessment and management process that will assure the protection and privacy of citizen and employee PII data and ultimately secure their organisations.” adds O’Brien.
You’re only as strong as your weakest link
That is why DVV Solutions has developed a range of services and solutions to deliver more effective and efficient third-party risk management for national and local public sector organisations. Our suite of consultative and managed services deliver significant improvements in
– developing and maturing current risk methodologies and frameworks,
– scaling resources to supplement and enhance existing risk assessment programs, and
– delivering time and cost efficiencies through established best-practice and workflow automation
enabling risk assurance teams to spend more time on what’s important: eliminating control gaps, raising security standards and reducing overall risk.
“We stand by our record of enhancing the oversight of the security controls third-parties and suppliers use to protect the valuable and sensitive data our clients are responsible for, ensuring operational efficiencies, conformity to increasingly stringent regulations and the effective management of third-party risk.” concluded Sean O’Brien.
This article was originally published as part of DVV Solutions’ collaboration with Executive Television: www.executivetv.org as part of their “Digital Realities” series.
About the author: Sean O’Brien CTPRP, CTPRA
Sean has over 25 years’ hands-on experience of delivering managed services within IT security and governance, risk and compliance (GRC) and is a practicing Certified Third Party Risk Professional (CTPRP) and Assessor (CTPRA).
As a foundation to the success of DVV Solutions, Sean has been instrumental in supporting our business partners Prevalent Inc. and Shared Assessments in creating a foothold in the Third Party risk assurance marketplace across Europe.
His philosophy to become a trusted information security partner is built upon long-term relationships with clients based on honesty and shared values.
Connect to Sean O’Brien on LinkedIn
Complete our Contact Form