The word “cyber” is unavoidable. Every day in the news is yet another article, about yet another cyber incident, affecting yet another business. With business operations being ever increasingly digitised, it should be of no surprise that these companies are becoming increasingly worried by the potential of a cyber incident in their own organisation.
The risk is substantial. Changes to data protection legislation, coming into force May 2018, creates penalties of €20m or 4% of Global Annual Turnover per ‘data breach’. The constant evolution of malware and organised crime has lead to incidents like ‘WannaCry’ and ‘Petya’. Script kiddies (often bored teenagers) continue to test legacy web applications, leaving everyone concerned as to who may be the next ‘TalkTalk’ during this year’s school summer holidays.
These threats have businesses scrambling to identify and fix the weak spots that could make them the next victim, and contractors are increasingly in the spotlight.
The hardware and software used to design and deliver products and services is evolving at breakneck speed. Ultimately, however, all of these tools and process are designed, built and used by people. People connect everything together; they build the tools, configure the software and follow the processes. Naturally, this means that people are coming under increasing scrutiny as one of the greatest threats to an organisation.
Inevitably, it is for this reason that contractors must expect to begin to see a hardening of attitudes towards security and liability from their clients.
Contractors are often extended the same or greater trust and privileges than full time employees. They have access to confidential systems and data. They know how the client’s custom applications are put together. They have the ability to access and modify those applications, often remotely. This is a great power, and one that is recognised as ripe for compromise or abuse.
If you work on, design, build or provide systems critical for operations, or that process or store sensitive data, you will want to begin to review your own considerations in how you work and secure yourself. This may extend to:
- Your contractual liability to your client in the event of an incident that is directly or indirectly related to your work
- The security practices present and documented in the work you provide against recognised frameworks
- The security practices you undertake to secure the devices you use on-site or remotely
- Your own cyber insurance arrangements
This needn’t all be worry. Documenting your security practices in how you secure yourself and the work you provide is in itself an excellent sales tool.
Securing yourself as a contractor can be straightforward. The UK Government Cyber Essentials scheme is an excellent starting point, and is designed as a mechanism to standardise cyber risk management in the procurement function for your clients. To learn more and progress Cyber Essentials please visit www.cyber-ami.com.
It is highly likely that the security barriers enacted by your clients will continue to increase in severity, with ever greater requirements on contractors to clearly detail the steps they have taken to reduce risk. Should you have any concerns, Berea are available to advise and assist you.
Leave a Reply