Knowing you Knowing me AHA!

Author: Gary Hibberd

Date: 10th November 2020

“Working 9 to 5, what a way to make a living

Barely getting by, it’s all taking and no giving…”

Be honest. You didn’t expect a Cybersecurity blog to start with the lyrics of a Dolly Parton song, right?! What could Dolly’s song possibly have to do with Cybersecurity?!

Allow me to explain.

Not all suppliers are the same

This week I was speaking to a potential client (spoiler; they are now a client). They explained that they were looking for a consultancy and data centre that was certified to both 27001 and PCI-DSS.

As we discussed their need, I applauded them on doing their due diligence on new suppliers and asking some very searching and intelligent questions. It’s something I’ve been concerned about for some time, because not everyone does.

The Client explained that they had spoken to one consultancy which gave a great story about ISO27001, but wasn’t certified to the standard, and the data centre they ran was only partially certified to PCI-DSS. The Client said (and I quote); “They were only certified 9 to 12 of the requirements. What a way to run a data centre?” (I couldn’t help but hear Dolly’s song as he spoke!).

This particular Client was very clear about what they are expecting from their supplier and was very clear about what ‘good’ looks like.

Being certified to just 3 of the 12 PCI-DSS requirements simply doesn’t cut it. Especially if you are a Data Centre, it might be ok if you’re a florist! This is also true of Cyber Essentials (CE). It’s a great start, but if the only certificate that your Data Centre has is a CE Certificate, then may I respectfully suggest you change your Data Centre!  A CE Certificate is like having a swimming certificate; It might save your life. But it doesn’t mean you can swim the English Channel!

(Open Disclosure; Cyberfort are certified to all 12 requirements of the PCI-DSS, and UKAS Certified for ISO27001.)

My fear is that not every business owner or CEO will be asking these kinds of questions. It is likely that there are people reading this that haven’t asked too many searching questions of their suppliers, especially when it comes to Cybersecurity and Data protection. Why?

Because “it’s a complex topic”. “Who has time to ask?” And “would we understand the answers anyway?” These are all answers I’ve been given when I ask why due diligence hasn’t been carried out on key suppliers.

But it’s absolutely key people start asking these questions.

Why it matters to us all

In 2013 one of the largest hacks in modern times occurred, and it was carried out against the US retail giant Target. 40 Million credit and debit card numbers and 70 million records of personal information were stolen in the attack. The ordeal cost credit card unions over two hundred million dollars in the reissuing of cards. Target itself had to settle a court battle and pay $18.3Million in compensation to individuals affected by the attack, but the total cost of the breach cost Target $202 million, and the jobs of the CEO and many others at the board.

How did this breach happen? The initial intrusion into its systems was traced back to login details (user name and passwords) that were stolen from a third party supplier. The supplier in question was a refrigeration, heating and air conditioning subcontractor that had worked at a number of locations at Target and other top retailers.

Yes. One of the most costly hacks in modern history was able to happen because hackers came through the air ventilation system! Once in, they were quickly able to ‘hop’ through the network until they found their way into the cashier systems. From there, they simply sat back and every time someone used a credit card in the store, they ‘swiped’ the same information!

Knowing you. Knowing me. AHA!

When you allow a supplier into your business, you are trusting that they are a safe and secure business. But how do you know? Have you done your due diligence thoroughly? This is important when hiring your cleaning company, and is vital when it comes to your outsourced IT and Cybersecurity company.

What screening processes do they have for their staff? How do they monitor performance? What do they do in relation to security? How do they guard your data? Who is your point of contact? What are the SLAs for any issues? How do they handle data breaches? These are all sensible questions to ask of any supplier they have. But for your Data Centres and Cybersecurity companies, you must ask more searching questions.

Here are questions you should ask of your Data Centre today;

• What Information Certificates do you hold?
  • Are you UKAS certified to ISO27001? If so, what is your scope*
  • Are you FULLY Certified to the 12 requirements of PCIDSS?
  • Are you certified to ISO9001? 45001? 20000?
• What other relevant certificates do you hold? (if you deal with the USA, SOC may be needed)
• When was your last Pen Test and were any ‘Red Flags’ addressed?
• Have there been any data breaches in the last 12mths?

These are your initial questions, just to get you started. You can copy these into an email today and ask your Data Centre or security provider. Even if you use Amazon Web Services (AWS) or DropBox, you can Google the terms “AWS ISO27001 certificate” and “Dropbox ISO27001 Certificate” and you’ll be presented with a plethora of information, along with their certificate!

Why it’s important

If it’s not already apparent why double-checking your suppliers are secure (and being honest about their certificates), then allow me to remind you of a key aspect of the GDPR.

As a Data Controller, you have a legal obligation to ensure any processing of data is done so using appropriate technical and organisational controls (Article 24), and the GDPR goes further by stating that;

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors (suppliers) providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Not only do you have a legal obligation, but you have a need to do this to ensure that your business is protected adequately.

Conclusion

Don’t believe what you hear.  Not even from us at Cyberfort.

Ask to see copies of our certificates for ISO27001, and ask about our scope. I’ve seen companies proudly proclaim they are ISO 27001 certified, but the scope is for a small portion of the business that has no relevance to the key activities for which my Client wanted assurances in.

Ask about PCI-DSS, and how many of the 12 requirements they comply with. If you are happy that your Data Centre only comply with three of the requirements, ask them which three and ask why they don’t comply with the rest? You have a right to ask, and they know why they don’t comply with the rest.

If it’s possible, go and visit the Data Centre. You can come and see ours any time you like. Take a look around. Ask to meet one of the engineers. Look beyond what the salesperson is telling you, and ask probing questions. You are trusting them with the lifeblood of your business; Data.

I do this for my clients. It’s my 9 to 5… and companies that aren’t being honest and are barely getting by with adequate security. They are simply taking, without giving assurances of security.

I don’t think this is right.

I think this needs to stop. But it starts by asking intelligent questions. 

Go ask today.