AdobeStock_310014089 (1).jpeg

PROCUREMENT

With advances in technology, we are often spoilt for choice when it comes to purchasing IT. So many solutions promise the earth and often deliver it too. However, if your organisation values longevity, an untarnished reputation and legislative compliance, then you should seriously read this article before picking up the phone to place your order.

Let’s say you’re a medical practitioner. Along comes an app that permits members of the public to arrange appointments, add medical notes, and even receive messages from the centre. Awesome! We have improved administrative efficiency and increased end user satisfaction. We have - in one fell swoop - met our critical mission objective: improve patient care.

Now let’s look at it from an IT security point of view.

 

  • Encryption:  What technology is being used to encrypt the data as it travels over the wire so that it cannot be captured and read by a malicious actor? Mmm. . .If the vendor has chosen poor encryption protocols or hasn’t properly implemented encryption techniques, we are in a world of pain right there - sensitive data is open to compromise and exploitation.

 

  • Source code protection: That sounds like another IT issue. Not really - without binary protection, a malicious actor can reverse engineer your app, inject malware into it and then distribute it publicly. Not only does this mean that the confidentiality of your data is at risk, but you’ve now become an unwitting participant in disseminating harmful viruses, trojans and worms. The same is true of any web page that an enterprise invests in. Without proper consideration of how security will be embedded into the product, and without proper testing of those security mechanisms, you are opening doors to cybercriminals.

 

  • Poor Data Storage: The data from the app is usually stored somewhere on the phone. That ‘somewhere’ may be accessible to other apps and other users. Alternatively, the data may be stored in the cloud. But where exactly is that? And with what security safeguards? As with all cloud implementations, you rarely have control or oversight over the hardware that is used to store and process your data and, in some instances, you will be sharing those resources with other organisations and users. Without proper safeguards this is a recipe for disaster.

Why should I care? Sounds like the vendors need to get their act together!

  • You cannot transfer ownership of data. You are the data owner. As such, you are expected to perform the necessary due care and diligence to make sure that the data you are charged with, is secure. When things go wrong, regulatory bodies and law enforcement officers come knocking on your door in the first instance. Official bodies, such as the ICO have and will, issue fines - which can be substantial - and heads may roll.  Nor is it likely that your cyber insurance (even if you have one) will compensate you for the payment of fines - which is unethical.

 

  • What your customers will think: Now lets consider, your customers or clients.  Will they thank you for using a problematic system that has led to a data breach?  According to research conducted by Experian, 69% of users following a data breach will be discouraged form using the service again, 48% would stop using the organisation altogether and 44% would seek financial compensation – that’s a hefty price tag for any organisation to take.   

 

  • So what’s your plan: We haven’t even started to talk about how prepared you are to handle a security breach. A strong communication strategy is essential, together with expert analysis of what happened and how, so that the problem can be contained, mitigated and, if possible, sanitised. Unfortunately, too many small to medium sized organisations; do not have an incident response strategy, do not have a business continuity plan to prevent downtime or a disaster recovery plan to rebuild essential systems and services as quickly as possible. Nor do they have easy access to cheap cyber security advice or legal counsel, which you will need in spades.

 

AdobeStock_190963843.jpeg
  • The financial impact: When the retail giant, Target suffered a data breach in 2013, it failed to take account of fraudulent charges made on customers’ payment cards, as well as the costs to replace such cards. Target also had to pay for expenses arising from the investigation and remediation of the data breach; credit-monitoring services, legal fees and advertising and consultancy fees to reduce reputational damage.  The insurance policy ($90 million of cover) still left them with a staggering $162 million deficit - and this says nothing about the loss of revenue from system downtime.  Whatever you think the cost of a data breach is - there is a good chance that it will cost a whole lot more.

 

Working Towards A Better System.

Use what you have: If you have an experienced procurement team, it is incredibly important that you do not attempt to bypass them. Every item of tech and every piece of software presents a huge security risk. This risk must be assessed and evaluated by professionals and senior management to make sure that:

  1. The technology will make a positive contribution to enterprise goals.

  2. It is financially viable.

  3. The organisation’s appetite for risk is not exceeded.

 

I can’t use what I have - its just me! If this is the case, you are going to have to decide how important the system or software will be to your operations.

  • Will it process regulated or proprietary data? 

  • How long can you afford to be without it?

  • Are there viable work arounds if it suddenly stops working?

  • Will recovery of the system require 3rd party intervention with unpredictable time frames?

Once you understand the criticality of the system, you’ll have a better idea of what type of assurances you need and what type of questions you should be asking the vendor. More on that in a second!

Too late - I bought stuff and now you’ve made me panic!

Hang on, we’ve yet to establish if there is a genuine concern.  For example, you may have picked a supplier that is security conscious. Either way, you need to go back to them and open up dialogue about what protections are in place and what security settings they recommend you to use. Sometimes the advice is free and publicly available, and sometimes it comes at a cost.

My research suggests my supplier’s security posture is rubbish!

Obviously the long term goal will be to replace the system.  In the short term, however, you can add compensating controls to protect your data.  For example:

  • If it’s hardware, you might be able to put it on a separate, isolated network to reduce exposure.

  • If it’s software, you might be able to install it on a hardened device, such as a laptop that supports whole drive encryption or biometric authentication (like a thumb print or Windows Hello).

  • If you’re worried about data travelling from point A to B, you might be able to get a VPN that encrypts data.

  • You may be able to educate users on what sensitive data looks like, so they handle it more carefully and follow operational procedures to minimise the exposure or accidental corruption of data.

  • You can add antivirus tools; firewalls, intrusion detection and intrusion prevention systems. You can develop a better backup strategy or work around solutions if the tech fails . . . and so on.

 

Important questions to ask 

 

Hardening:

  1. Does the product include features that may be unnecessary and can be disabled to reduce the number of vulnerabilities?

  2. Does the vendor have a clear upgrade and maintenance strategy so that firmware, software and other security updates can be implemented?

  3. Does the vendor issue security advice pertaining to device configuration?

Access Control & User Permissions:

  1. Does the product include guest accounts or default passwords that should be changed?

  2. Does the product block unauthorised access by implementing passwords or two factor authentication?

  3. Does the product allow for different permissions so that users can only access the data and functionality they need?

  4. Does the product permit the logging of who did what and when, so we have accountability and non-repudiation?

 

Encryption:

  1. Does the product encrypt data or is it possible to use technologies with it that will encrypt data?

 

Secure Design:

  1. Has the security of this product been an intrinsic part of it’s development - from conception to creation?

  2. What steps have been taken to make the product tamper proof?

  3. Does the vendor perform regular vulnerability or testing to make sure the product is protected against existing and emerging threats?

  4. Have 3rd parties conducted security assessments on the product? If so, what were the findings?

 

Compliance:

  1. What regulatory compliance is being followed by the vendor (GDPR, PCI, HIPPA, WCAG)?

  2. Does the vendor have contractual agreements for sharing data with 3rd parties and has due diligence been carried out before signing these contracts?

  3. Does the product come with warranties or guarantees?

 

User Support:

  1. Does the vendor understand my need for compliance and the sensitivity of the data that the product will use?

  2. Does the product come with support for the reporting and remediation of flaws?

  3. How does the vendor inform customers about security vulnerabilities and will guidance be issued?

  4. Are support lines 24/7 and are there different ways of communicating: chatbot, telephone, FAQs?

  5. What are the service level agreements (SLA)?

  6. Does the vendor have a backup and disaster recovery processes?

 

Delivery and Disposal:

  1. How secure is the distribution process?

  2. What is the disposal risk and mitigation strategy?

 

And finally - is there a better way of doing this stuff.

A good risk assessment will help an organisation to:

  • Identify critical systems and processes.

  • Determine criticality and priority.

  • Assess current and desired security posture.

  • Use a security framework to manage and monitor risk.

  • Procurement is part and parcel of almost every possible framework and encourages the use of defined, repeatable and mature processes that are grounded in best practice.

See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk