VENDING SECURITY


CREATE, MAINTAIN AND TEST A BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN. Companies who have been hacked often have resilient and industry leading security measures in place, but incidents do still happen, whether through vulnerabilities or human error. It’s important to prepare for the worst. A good plan will identify the appropriate individuals in the


organisation who need to be involved in decision-making, technical details on if and how a business can continue to trade without some or all of its key IT systems, how PR and communications are dealt with, and the technical detail on transfers, backup and restoration of any data subject to a data breach (this is often achieved with help from third party experts). Organisations should also have cyber, PR and legal experts on hand


to quickly support with an incident as soon as it is identified, assisting with any regulatory notifications which need to be reported - usually within 72 hours of the organisation becoming aware of the breach. Implement robust policies, procedures and training to adopt a “privacy by design and default” approach within the organisation. Remember, the survey shows that 84% of cyber incidents are caused by phishing links and similar – if only one person clicks on the wrong link, it could infiltrate parts of an IT system. Protect your organisation by making sure staff are aware of policies and regularly trained on best practice with respect to cyber security and data protection.


MAP OUT THE TYPE OF DATA YOUR ORGANISATION PROCESSES AND RISK ASSESS FROM THERE. For example, sensitive HR data will likely need more access restrictions and additional protections than a database of B2B contact details. Consider additional security measures such as pseudonymisation to high risk data.


REVIEW CONTRACTUAL TERMS BEFORE SIGNING A CONTRACT WITH THIRD PARTY PROVIDERS (E.G. END POINT DETECTION PROVIDER).


When engaging with any third party provider, for example an end point detection provider that will support with scanning for any unusual / unauthorised activity within an organisation’s network, take time to review the proposed contractual terms before signing the contract. Look out for key obligations on the provider, the commitments it


is willing to give and its financial liability if things go wrong. Vendors of one-to-many platforms or services usually seek to operate on standard T&Cs and often heavily limit their liability under the agreement to ensure they don’t take on an unworkable amount of risk. That being said, customers of these services should seek where possible to get these to a balanced position. As part of the supplier onboarding process it is also prudent to


undertake financial due diligence on vendors to understand whether they are likely able to support their financial liabilities under the contract.


INVEST IN YOUR CYBER SECURITY All too often, organisations only invest in cyber software and protections when something goes wrong. The report shows just how prevalent these attacks are and how they can affect any organisation. These measures cannot completely prevent attacks, but they can help detect threats early and help keep systems as secure as possible. We have advised on many incidents where end-point detection has spotted a threat early and it has subsequently been identified, and adverse effects mitigated quickly. It is also a legal requirement under data protection laws where personal information is concerned to have appropriate technical and organisational measures in place to protect personal data.


vendinginternational-online.com |


15


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24