THE NHS CYBER ATTACK SHOWS WHY AN AUDIT OF YOUR SUPPLIERS COULD BE JUST WHAT THE DOCTOR ORDERED
10th June 2024
THE news that an NHS trust was hit by a cyber attack earlier this month naturally attracted a lot of headlines.
Even though cyber-attacks are far from rare, when the targets are hospitals the stakes always seem so much higher.
In the weeks and months ahead we are likely to learn more details about how the attack happened, and what went wrong.
Initial reports suggest these cyber criminals focused on Synnovis, a private company responsible for blood tests, swabs, bowel tests and other crucial services for hospitals across six London sites.
Sadly, I wasn’t surprised at this part of the story.
Over and over again, we are seeing evidence of supply-side breaches like this.
Organisations often spend significant time, effort and budget protecting their own cyber security only for it to be breached via a supply chain partner. There are important lessons here for the property sector.
Many businesses will use, and rely upon, third party vendors. And they are supplying a myriad of services. In many cases these suppliers handle ultra-sensitive information which can be of incredibly high value if it falls into the hands of cyber terrorists.
Information like home and business addresses, email accounts, bank details, passport data, copies of utility bills.
These are items which are all being openly traded on the dark web in exchange for cash.
And if you fall victim to an attack not only might you face a massive fine – your reputation can be destroyed forever.
So what steps need to be put in place to mitigate the risk of falling victim in the same way hospitals in the capital were.
Ask suppliers how they are handling data
Sounds simple, but many don’t do it. If y0u are going through the process of onboarding a new vendor, start by considering how they handle information security. Talk with them early on about their security processes; and make sure you understand how they handle internal security. Only ever sign contracts with those vendors whose internal security processes align with your own security objectives. If you already have vendors in place but you don’t know the answers on these points already make it a priority to find out – straight away. Alarm bells should ring if a vendor doesn’t want to engage on this issue.
Conduct an audit
A vendor might say they are ticking all the boxes. But are they really? An audit may be the only way to see what’s really happening with your vendor’s security, so perform audits whenever necessary. An audit evaluates how the organisation executes against its security compliance framework, as well as its performance in previous audits. Look for indicators of compromise and how well the vendor assesses cybersecurity risk. If you need support in carrying one out visit here. Proving the third-party vendor has an information security program is only half the battle over third-party breaches. The third-party vendor should be able to demonstrate that it takes risk management seriously and dedicates resources to its vulnerability management program.
Set clear policies and expectations for data storage and transfer.
Collaboration with third-party vendors often involves sharing or transferring data. Data storage and transfer without a defined policy can expose companies to risks, including unauthorized access, data breaches, and failure to comply with data protection regulations. By establishing clear guidelines, companies can set boundaries and expectations regarding data storage and transfer. This assures that third-party vendors treat organizational data with the same importance and standards as their data. Defined data storage and transfer policies act as a protective layer, ensuring data integrity at all levels.
Continually monitoring third-party vendors
Third-party vendors play an integral role in your organisational supply chain. They can also introduce multiple risks, including data breaches and compliance violations when not properly monitored. That means evaluating vendors only at the beginning of the business relationship is not enough; you need to monitor your vendors on an ongoing basis. Continuous monitoring assures that the organisation remains informed of any changes in the risk profile of its third-party vendors. It also allows you to take new measures and adapt your compliance strategies accordingly. With ongoing monitoring, organizations can detect potential threats earlier and foster a culture of transparency and accountability with their vendors. That, in turn, strengthens the trust and reliability in the partnership, assuring both parties are aligned in maintaining the highest standards of security and compliance.