Third-party access a ‘weak spot’ in public sector IT systems

Sponsored by CyberArk

“The system is vulnerable, so what do we do?” asked Matt Middleton-Leal, of CyberArk, opening the Business Technology Inner Circle breakfast meeting on the security of third-party access to public sector IT systems.

As most organisations get to grips with the security of their IT systems, third-party access is often a weak spot. Nevertheless, denying third parties access is often unavoidable and so, Mr Middleton-Leal said, the challenge is to put in place robust security procedures and be aware that problems often arise when established systems break down.

The risk was underlined by Professor Andrew Blyth, of the University of South Wales, who pointed out that most organisations are often attacked through their supply chain, rather than through weaknesses in their own systems.

In the public sector the risks are often magnified by the type of data involved. Ian Bryant, of West Middlesex University Hospital, said the NHS has to be very careful about what data is sent out. NHS data can only be used directly for treatment and cannot be shared for any other reason. Sean Grace, of Moorfields Eye Hospital NHS FT, added that public sector organisations often struggle with IT security because they can’t afford the best qualified people.

When finding suppliers, several practical steps were proposed by attendees. Trust was an important factor. In a world of imperfect security, it is important to be able to trust that your suppliers have the same goals as you and the same incentives to protect your data.

That said, trust is only established by carefully vetting potential suppliers. Jo Andrews, of the London North West Healthcare NHS Trust, said that a lot of suppliers would expect organisations to hire them simply because they have similar clients. A smart organisation, she said, would ignore this and do its due diligence anyway. Mike Dungey, of Leicestershire ICT Partnership, agreed, saying it is important to consider how you can sense check a supplier’s claims.

Tom Wright, of Oldham Metropolitan Borough Council, said that one simple step was to ask what the supplier would do with the data and get assurances on how it would be secured. Professor Blyth added that organisations should also consider the plans in place for the end of the contract. What happens to the data then? Will it be returned or destroyed and, in either case, how will that be done?

In addition to specific steps for dealing with third-party suppliers, those at the breakfast meeting also discussed some general, cultural measures that can be taken to improve security.

Professor Blyth said that all organisations need to have a security awareness culture. It should be part of the fabric of the organisation in the same way that health and safety has become an accepted consideration in the workplace. Increased awareness would increase the likelihood that you would spot attacks on your organisation. Most organisations find out about an attack because a third party tells them, Mr Middleton-Leal said.

Professor Blyth added that many organisations were complacent because they didn’t see themselves as a target for attack. However, he said that most organisations have more assets than they realise and it is important to consider those when planning for security.

Mr Middleton-Leal agreed, saying that all organisations should identify their “crown jewels” – the data and system areas that were most important – and should allow access to those only via a proxy, removing the threat of a system being compromised by a stolen password or malware on an employee’s workstation.

Above all, Mr Middleton-Leal said, third parties should never have privileged access to your system without the correct controls. They should always be given defined access for specific tasks and not just blanket access to your environment so as to minimise threats, he said.

Though security is vital, several attendees said that it is important not to succumb to paranoia. Doing so is unproductive because it often prevents the data being used for its intended purpose. In the NHS, for example, Mr Bryant said, if patient data could be used to save a life then it could be shared by any means necessary, regardless of security. There might be instances, for example, when it would be necessary to share otherwise confidential data as a Gmail attachment.

Sarah Lawson, of NPEU at the University of Oxford, said that the most important thing is to keep security measure proportionate and pragmatic so that the organisation can work safely but still be effective. She said the most sensible approach is to set information governance levels that are appropriate and then do due diligance on areas where levels of trust might be suspect.

Overall there was a concern that the necessary expertise was lacking in information security, which was holding everyone back, but that was tempered by a strong level of optimism that the industry as a whole can continue to improve.