Connect with us

Top Stories

Securing Information Throughout the Supply Chain – Preventing Supplier Vulnerabilities 

Published

on

Securing Information Throughout the Supply Chain – Preventing Supplier Vulnerabilities  1

By Adam Strange, Data Classification Specialist, HelpSystems 

The financial services sector is experiencing extreme disruption coupled with rapid innovation as established institutions strive to become more agile and meet evolving customer demand. At the same time, new market entrants compete fiercely for customers. Increasing operational flexibility, through the deployment of cloud infrastructure or via digital transformation initiatives, is critical for future competitiveness but it has also driven regulatory and security challenges, particularly around working with suppliers.

That said, the benefits of a diverse, interconnected supply chain are compelling: agility, speed, and cost reduction all weigh on the positive side of the equation, prompting financial institutions to pursue close, collaborative relationships with suppliers, often numbering in the hundreds or thousands.

Weakness in the supply chain

On the negative side is the increased cyber threat when enterprises expose their networks to their supply chain. In our modern interconnected digital ecosystems, most financial organisations have many supply chain dependencies and it only takes one of these to have cybersecurity vulnerabilities to bring a business to its knees.

As a result, breaches originating in third parties are common and costly – a Ponemon Institute/IBM study found that breaches being caused by a third party was the top factor that amplified the cost of a breach, adding an average of $370,000 to the breach cost.

Concern around the supply chain was also evidenced in a recent report we have just issued, whereby we interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face and nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months.

But sharing information with suppliers is essential for the supply chain to function. Most financial services organisations go to great lengths to secure intellectual property, personally identifiable information (PII) and other sensitive data internally, yet when this information is shared across the supply chain, does it get the same robust attention?

Further amplified by COVID-19

Financial service organisations have always been a key target for cyber attacks.  Our research showed that since COVID-19 hit, the risk has elevated further, with 45% of the respondents seeing increased cybersecurity attacks during this period. Likewise, hackers are rejecting frontal assaults on well-defended walls in favour of infiltrating networks via vulnerabilities in suppliers.

But financial services organisations must maintain reputations and ensure customer trust. Firms are keen to demonstrate that they are protecting customer assets, providing an ultra-reliable service and working with trustworthy partners. So, what can they do to better protect their supplier ecosystem?

At the very least, they need to ensure basic controls are implemented around their suppliers’ IT infrastructure.  For example, they must ensure suppliers maintain a secure infrastructure with a minimum of Cyber Essentials or the equivalent US CIS certification controls. Cyber Essentials defines a set of controls which, when implemented, provide organisations with basic protection from the most prevalent forms of threats, focusing on threats which require low levels of attacker skill, and which are widely available online.

Likewise, they need to ensure good information management controls are in place and this begins with accurate information/data classification. After all, how can you apply appropriate controls to your information unless you know what it is and where it is?

How ISO27001 helps organisations put in place a data classification process

The international standard on information security, ISO27001, describes the basic ingredients for data classification to ensure the data receives the appropriate level of protection in accordance with its importance to the organisation. It comprises three basic elements:

  • Classification of data – in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
  • Labelling of data – an appropriate set of procedures for information labelling should be developed and implemented in accordance with the organisation’s information classification scheme.
  • Handling of assets – procedures for the handling of assets developed and implemented in accordance with the organisation’s information classification scheme.

Adoption of this methodology will help financial services organisations and their supply chain take a more data-centric information security approach. However, there are essentially four key stages for implementing a data risk assurance supply chain approach and these are:

 1. Approval – in organisations with complex supply chains senior management, vendor management, procurement and information security will all need to support a robust risk-based information management approach. Details of previous incidents and their impact alongside the business benefits will be essential to gain stakeholder buy in.

 2. Preparation – Organisations should start with Tier 1 suppliers and initially identify the contracts with the highest business impact/risk. They should identify and record information repositories and the data that they contain together with the responsible business owners. Define a business taxonomy based on information categories of that data and include supply chain factors such as what information categories are shared.

For example, they need to understand the business impact of compromise against each of the information categories. Have any suppliers suffered security incidents? What assurance mechanisms are in place? Once all this information is collated the organisation can create a data classification policy and define a set of controls for each data category.

 3. Discovery – Select each data category and identify the associated contracts. Then prioritise the data category based on the risk assessment and verify that the data security controls and arrangements for each data category and contract meet the overall requirements. Once complete, hand over the contract for inclusion in the vendor management cycle.

4. Embed process – the overall objective is to embed information risk management into the procurement lifecycle from start to finish. Therefore, whenever a new contract is created there are a number of actions required which embed data risk at each stage of the bid, tender, procurement, evaluation, implementation and termination phases of the contract.

To summarise, organisations should start by researching the information risk and security frameworks such as ISO27001 and others. They should then focus on defining their business taxonomy and data categories together with the business impact of compromise to help develop a data classification scheme. Finally, they should implement the data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish. By effectively embedding data risk management and categorisation into their procurement and vendor management processes, they are preventing their suppliers’ vulnerabilities becoming their own and are more effectively securing data in the supply chain.

Top Stories

Seven lessons from 2020

Published

on

Seven lessons from 2020 2

Rebeca Ehrnrooth, Equilibrium Capital and CEMS Alumni Association President

 

Attending a New Year’s luncheon on 31 December 2019, we played a game that involved predicting the world in 2020. Some of the questions included: would Uber become profitable? Would the three-decade bond rally finally come to an end? Would the US hit a recession?

Unlike any of our predictions based on a traditional approach to business and predicting, we now know that 2020 became the year where business, professional and personal plans were turned upside down, reshaped and put-on hold. The proverbial black swan had arrived.

As revealed in a new CEMS Guide to Leadership in a Post-COVID-19 World, to which I contributed, the COVID-19 pandemic has exposed deficiencies in the 20th Century vision of leadership, giving a rare opportunity to question the status quo.

So, what are the main lessons from 2020?

  1. Humans are enormously adaptive.  This is not an extinction scenario. The world is getting used to dealing with global human disaster which may become a recurring event. Life continues guided by new parameters.

  1. No sector or country is immune to rapid change. Just as the leveraged finance and equity markets ground to a halt during the Global Financial Crisis, we have seen a disruption in the financial markets (including M&A) in 2020, including a significant redistribution of wealth between sectors; think tech vs airlines and the hospitality industry. When a market is disrupted it has secondary and tertiary effects such as less work for accountants, lawyers, financiers etc.

 

  1. Location is not as important anymore. The belief that finance staff need to be based in one of the financial capitals to be effective has been forever altered. Pursuing a career in finance from anywhere is becoming possible. However, it’s likely that over time, financial controls and human interaction will move the work model back towards the traditional office approach, as work is a critical sanctuary for people. While working from home may allow more time for family, chores and sports, it is mainly effective for people who already have their internal and external networks. For junior employees it presents a notable challenge as they may be forced to spend their formative years without a chance to really build their networks.

 

  1. Change is likely to be lasting. The opportunity for alternative finance and tech focused providers is enormous and 2020 will accelerate this shift. For example, many retail banks are providing rather poor customer service, blaming the pandemic. Even the most loyal customers will be heading elsewhere. For recent graduates and current students this is a major shift; future winners and key employers may not be names we are used to seeing in the headlines.

 

  1. There will be a spotlight on leaders with visionary strategy and understanding of the operations. 2020 showed many politicians and business leaders behaving like they were playing a game of snakes and ladders, rather than executing a thought-out strategy. The next wave of thoughtful leadership is urgently required.

 

  1. Collaboration leads to success. The definition of a pandemic is an infectious disease prevalent worldwide. A global problem requires a collaborative solution rather than each country and industry on their own. Quoting Steven Riley, professor of infectious disease dynamics at Imperial College London: “Once you have the knowledge and you share the knowledge, then you are able to take measures to push transmission much lower”. This principle is transferable to management education. In a world more complex than ever, investing in a degree is hard currency. Combined with the full global alumni network, corporate partners and schools, CEMS is capital that doesn’t depreciate.

  1. Resilience has become a watch word. Saint-Exupéry’s quote resonates with me: “If you want to build a ship, don’t drum up people to collect wood and don’t assign them tasks and work, but rather teach them to long for the endless immensity of the sea.” We are in a new paradigm – so prepare for the next change. For COVID-19, while we hope that the vaccine will soon upon us, the broader long-term positive challenge remains.
Continue Reading

Top Stories

Data after Brexit: How does the end of the transition affect GDPR?

Published

on

UK's Post Brexit productivity puzzle

By John Flynn, Principal Security Consultant at Conosco

The UK has officially left the European Union now that the transition period has ended on January 1st 2021. But this could raise issues with one of the biggest bugbears for many companies – the international transfer of personal data.

Businesses can relax, somewhat – GDPR, which took businesses months to get their heads around, is not being replaced. It will continue as the UK GDPR 2018, and will still be based on the criteria of the Data Protection Act of 2018. However, the UK will retain the right to change the UK GDPR as it sees fit in the future.

The main changes apply to those who receive data coming into the UK from Europe. Transfers from the UK to other countries can continue under existing arrangements.

We know it can be difficult to cut through the legal jargon, so we have simplified what you need to know to protect yourself and your data:

1 – Update your privacy notice

Most businesses do not have the correct clauses in place ahead of January 1st, potentially exposing their liability, should something happen to their data. All company privacy notices online will need to be updated to specifically state ‘UK GDPR’, as opposed to ‘EU GDPR’. You will also need standard contractual clauses in place, which cover both parties – those transferring and those receiving the data.

 The Information Commissioner’s Office (ICO) has a list of what needs to be included in the standard contractual clause here. The ICO will remain the UK regulator for data protection, regularly liaising with each EU member state.

This also applies to Multi Corporate Groups who operate in multiple countries, who need to update their documentation and privacy notice to expressly cover the data transfers.  The UK has applied for an adequacy assessment, which would negate the need for contractual clauses, however this has not yet been approved by the EU.

2 – Data privacy assessments

Any company which runs applications and software should always perform a Data Privacy Impact Assessment. This was also in the guidelines before, but these assessments are now more important for those who outsource their IT operations internationally.

For example, when using a service such as a cloud-based system, the company must be sure that its service provider adheres to UK GDPR and stores the data within the European Economic Area (EEA), or has a binding corporate agreement with the company, where data is stored outside of the EEA. You should also, as mentioned above, make sure that a contractual clause is in place.

3 – Review local legislation

Contracts should now have contractual clauses that specify the responsibilities of the data controller and the data processor. If you are receiving personal data from a country territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. You should check local legislation and guidance in this case.

4 – Cyber Security health check

The ICO is increasing its capacity and efforts to crack down on data breaches, post-Brexit. Now is a great time for all companies to have a health check to understand their Information Security posture and GDPR compliance. Nobody wants to be caught handling data improperly and fined when it could have been prevented with education and training.

A gap analysis performed by an expert is money well-spent. It’s also a fact that companies that have cybersecurity and Information Security controls are not only able to better defend against attacks but are also far better placed to recover from an attack.

Looking forward

It’s important that all businesses – large and small – are properly preparing their data storage and transferring for the 1st January. ICO has been busy setting examples by fining large, high-profile companies for failing to keep millions of customers’ personal data safe.

It will continue to come down hard on the data breaches of personal identifiable information and special categories of data. The saying ‘prevention is better than a cure’ rings truer than ever this year, and you will thank yourself if you make the efforts to properly store your data now, and not when it’s too late.

Continue Reading

Top Stories

2020 reflections and 2021 outlook

Published

on

2020 reflections and 2021 outlook 3

By John Hunter, Head of Banking and Fiduciaries, Finance Isle of Man

Reflections on the most surreal year

The Covid-19 pandemic has completely changed the world as we knew it, resulting in catastrophic loss of life and fears of a downturn hang over global economies like a sword of Damocles. In the UK, the new strain has further exacerbated the situation. As I am sure many have already said we are living in what could be called the most surreal times. People have been trying to cope with this “new normal”, by changing their lifestyles and evolving behaviours.

The Isle of Man responded swiftly to the pandemic by closing its borders and enforcing social restrictions which everyone respected and adhered to. Socially and culturally the Island demonstrated all the good things that come from living on a relatively small Island where community still means so much.

The Isle of Man’s financial services sector adapted quickly, seamlessly transitioning to working from home. The banks too adopted flexible remote working practices and continued to support clients around the world helping them navigate the challenging situation and making the most of any opportunities that arose.

Although there is no substitute for face-to-face interactions, we all embraced web-conferencing platforms like Microsoft Teams and Zoom to stay connected with contacts around the world and build and nurture business relationships, whether it was with financial services firms or high net worth individuals looking to relocate to the Island.

Furthermore, a priority for the Isle of Man has been to reinvigorate the business and cultural ties with South Africa. In a normal world, we would have travelled to the country, held in-person meetings with businesses and industry representatives and talked about building on our wonderful historic ties. However, because of the scale and breadth of disruption we had to change all our plans! We hosted a virtual roadshow which comprised a series of webinars exploring why it has never been more important for South African businesses and individuals to choose the right jurisdiction for long term financial planning.

Looking ahead to the future

We are all hoping that the global rollout of vaccines will provide the pathway to some form of return to normality and all the things people are missing will be back. Like amidst all periods of immense turmoil, interesting, new possibilities have emerged such as the revolution in work culture and a renewed importance of being close to nature and green spaces is. And these possibilities can help reshape society for the better.

The global economic recovery and rebuild might seem further away in the current environment especially amidst the new lockdowns. But we are confident in the resilience of economies and are hopeful that different industrial sectors and governments working together would result in green shoots.

The financial services industry has an important role to play in getting the world economy back on its feet. It is a core component of the solution to continue facilitating the financing of corporates, as well as to develop sustainable finance and nurture digital technologies which have proven to be vital during the pandemic. The sector should continue its cooperation and collaboration with governments and regulators to ensure efficient capital flows and financial stability for businesses and individuals.

Banks too have a crucial role to play as they are instrumental to the effective transmission of monetary policies and stimulus packages. As mentioned in a report by EY: “Financial insecurity in the wake of COVID-19 will require banks to boost consumer confidence and help build a more resilient working world.”

We expect the Isle of Man’s financial services sector and banks to continue navigating the situation with resilience as they have been doing thus far and contributing to the global recovery process. Also, we truly hope this will be our busiest year ever (subject to our ability to travel), with an extensive global schedule of planned activity to promote the Island as an international financial centre of excellence and innovation. Personally, I had planned to be in South Africa for the British & Irish Lions tour, but regrettably, it might not take place and as such we will look forward to catching up with friends there as and when we can.

Conclusion

No doubt, there are significant challenges for the world ahead but as Albert Einstein said: “in the midst of every crisis lies great opportunity”. And it is this opportunity that we all need to work together to identify and make the most of. We are confident that in 2021 the Isle of Man will continue to support financial services businesses help their clients, employees, and the wider society through these surreal times. We are all in this together.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate

Latest Articles

Voice Quality Matters: Quarter of Employees Working From Home Still Experiencing Regular Connectivity Issues 4 Voice Quality Matters: Quarter of Employees Working From Home Still Experiencing Regular Connectivity Issues 5
Business5 hours ago

Voice Quality Matters: Quarter of Employees Working From Home Still Experiencing Regular Connectivity Issues

-Survey of 1007 SMEs in the UK by Spitfire Network Services Ltd reveals pain points for employees working from home-...

Employee Ownership Trusts increasing in popularity amid a backdrop of continuing uncertainty 6 Employee Ownership Trusts increasing in popularity amid a backdrop of continuing uncertainty 7
Finance5 hours ago

Employee Ownership Trusts increasing in popularity amid a backdrop of continuing uncertainty

With 2020 behind us, the impacts of the COVID-19 Pandemic and Brexit are still being felt throughout the economy, and...

How the application network unlocks open banking’s future How the application network unlocks open banking’s future
Banking6 hours ago

Open Banking: the perfect pandemic tool – Equifax comments

With COVID-19 related financial fallout set to dominate the credit landscape in 2021, Dan Weaver, Open Banking Expert at Equifax...

How can we benefit from mandated e-invoicing? 8 How can we benefit from mandated e-invoicing? 9
Business8 hours ago

How can we benefit from mandated e-invoicing?

By Mark Stephens, the CEO of Blackstar Capital Electronic invoicing is at a tipping point. On the one hand, only...

World Tourism Organization (UNWTO) and Sommet Education launch Hospitality Challenge Pitch 10 World Tourism Organization (UNWTO) and Sommet Education launch Hospitality Challenge Pitch 11
Events8 hours ago

World Tourism Organization (UNWTO) and Sommet Education launch Hospitality Challenge Pitch

World Tourism Organization (UNWTO) and Sommet Education launch Hospitality Challenge Pitch – a series of online discussions focusing on revealing some of the winners...

Is MiFID II still fit for purpose in a post-COVID financial landscape? 12 Is MiFID II still fit for purpose in a post-COVID financial landscape? 13
Finance11 hours ago

Is MiFID II still fit for purpose in a post-COVID financial landscape?

By Martin Taylor, Deputy CEO and co-founder at Content Guru January 2nd, 2021 was the third anniversary of the implementation...

First of a kind Virtual Coffee Machine app with social meeting moments to support workforce wellbeing in a remote workplace 14 First of a kind Virtual Coffee Machine app with social meeting moments to support workforce wellbeing in a remote workplace 15
Technology13 hours ago

First of a kind Virtual Coffee Machine app with social meeting moments to support workforce wellbeing in a remote workplace

Powell Software’s first in a series of wellbeing technology innovations help remote employees socially connect with colleagues and keep the...

Most Video Content Created in the Summer Months, Finds Veritas Research Most Video Content Created in the Summer Months, Finds Veritas Research
Technology13 hours ago

Top 5 Ways To Lose Your Video Files

There are lots of reasons why you can lose video files in your system or device. While some of these...

FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India 17 FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India 18
Finance3 days ago

FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India

New Delhi, January 12th,2020: FSS (Financial Software and Systems), a leading global payment processor and provider of integrated payment products,...

Seven lessons from 2020 19 Seven lessons from 2020 20
Top Stories3 days ago

Seven lessons from 2020

Rebeca Ehrnrooth, Equilibrium Capital and CEMS Alumni Association President   Attending a New Year’s luncheon on 31 December 2019, we...

Newsletters with Secrets & Analysis. Subscribe Now