We recently participated in a rigorous security assessment as part of a tender process with one of Australasia’s largest infrastructure operators. It was an incredibly thorough process and security was heavily weighted in the assessment. On being awarded the contract there was no doubt our response to the security assessment played a large part in the decision.
Today, every sizeable organisation is aware of the need to protect itself from cyber attacks. As third party due diligence is a vital component in achieving resilience, we expect security assessments by our potential customers will become increasingly common and sophisticated.
The challenge will be for non technical stakeholders, for whom IT security protocols aren’t easily understood and best practice is not well known. To help, I’ve written this article which unpacks - in everyday language - six critical components to IT security and shows how you can think of each in light of best practice.
Data is often in motion, being transferred between people, organisations and systems. Data encryption addresses the risk of information being intercepted, stolen and put to nefarious use. It is essentially the scrambling of plain text into an indecipherable code, or ‘ciphertext’, so that it’s unreadable when enroute to its recipient. Upon receipt the message is translated back to its original form in a process called decryption.
Beyond the obvious benefit of safeguarding private information, data encryption also ensures the authenticity of the information by verifying its origin and disavowing the sender of the ability to repudiate their role.
No two things are ever the same and it’s worthwhile understanding the encryption types so you can differentiate between those that are reliably effective, emerging (and superior in speed and flexibility), or on their way out.
And remember to consider data that is at rest! - it’s still at risk of being hacked and should be encrypted at a secure data centre.
One of the first questions to ask a prospective provider is whether their system is geo-redundant. This is essential to mitigate against geographical risks like natural disasters, catastrophic events or glitches that cause network outages. Geo-redundant systems replicate their data - in real time - across data centres in different geographic locations so that, in the event of a regional failure, the system will automatically failover to a secondary system.
Have you ever lost an important file, or folder of family photos? Data loss can be upsetting for an individual, but it is devastating for an organisation. That’s why it’s essential to ensure your providers have your data backed up and stored securely.
Back ups not only include data, but also virtual infrastructure. Two questions to ask regarding back up protocol are:
1) What is your Recovery Time Objective (RTO)?
2) What is your Recovery Point Objective (RPO)?
RTO refers to how quickly a system can be up and running after a major failure ie. how long it takes for your backup to become live. RPO refers to the maximum amount of data that will be lost ie. how often the data is backed up. At VendorPanel, we back up data every 7-10 minutes.
Unfortunately hackers are becoming increasingly sophisticated and it’s no longer rare for hackers to compromise one server and use it to then jump onto another. So how can you be assured that your data will be safe if another consumer’s server is compromised?
Data separation employs rules and permissions to virtually separate configurations, or enterprises in layman language. Don’t omit data separation in your security questionnaire, it will only become more relevant.
A recent Wall Street Journal article has alerted us to a worrying reality - most businesses are not prepared for disaster. The article cited findings from a survey of IT professionals in a variety of sectors, including technology, which found half of the businesses didn’t have documented disaster recovery plans to ensure business continuity in periods of downtime (system failure). Of the half that did have plans, only 23% had ever tested them.
Downtime happens. No business has a clean record, so make sure you enquire about your providers disaster recovery plan for business continuity during downtime. Without a plan in place, the effect of a provider's downtime will needlessly impact your businesses.
A number of methods - both physical and cyber - can be used to prevent unauthorised access to your system, so why not have them all! Though seriously, it’s not too much to ask. A provider who has adopted best practise protocols will be able to detail their company policy on password management; portable devices; and decommission & disposal of documents. They will have deployed physical security measures such as access keys and cameras and vetted staff using criminal history checks.
Don’t overlook organisational security, breaches can as easily occur outside of the primary network so take the time to ask and understand your prospective provider’s onboarding and training protocol and the management initiatives that support the ongoing review and improvement of cybersecurity.
I can promise you, the investment in IT security is worth it - you’re mitigating against a risk that costs organisations, on average, $3.9 million in data breach fines. Start a conversation to find out more about our approach to security.