Small Third-Party Providers – Step 1 in Navigating Through 2024 with NIS2 and DORA

,

Before diving into this article, it’s important to note that at Luxat, we are neither legal experts nor cybersecurity gurus. However, we aim to share insights that we believe can assist small businesses in shifting their mindset from “making it work” to “making it compliant,” even though the imperative to “make it survive” may overshadow the preceding considerations.

DORA is a focus, impacting all third-party providers, including solo entrepreneurs. I am of the opinion that even the smallest third-party providers should exert effort to comply with DORA and fortify their resilience against cyber threats through cost-effective solutions. Ultimately, the predominant cost often lies in the time allocated to implementing the processes outlined below.

Here are a few actionable points to undertake today, contributing to DORA compliance from a third-party perspective. While these may not be exhaustive, they certainly won’t make the situation worse:

IT Software Officially Approved by Your Company

Register and Use Only Hardware Purchased by Your Company

Strong Password Policy and Four-Eyes Principle

Centralize Personal Data Management

Data Confidentiality and Folder Organization

List Your Third-Party Providers and Rate Them

Create Standard Policies such as “Anti-Bribery” and “Anti-Fraud”

Develop Risk Management, Business Impact Analysis, and IT Security Policies

Take Cybersecurity Insurance and Professional Liability Insurance

IT Software Officially Approved by Your Company:

Compile a list of software applications that your company endorses for use. This list can be periodically reviewed to consider the addition of new software. Even if your IT infrastructure is not centralized, establishing such a list aids in formulating policies regarding IT security and cybersecurity. For instance, if you utilize Notepad++, designate it as approved software and assign confidentiality, integrity, and availability scores. While this article won’t delve into the meanings of these columns, it’s important to note that, for example, the confidentiality score will vary depending on whether Notepad++ is employed for storing personal data or merely for meeting minutes.

Register and Use Only Hardware Purchased by Your Company:

To initiate this process, it is imperative to establish a comprehensive database containing details of company-owned hardware and its assigned users. If a computer is not listed in this database, refrain from working on it under any circumstances. The registered hardware must undergo protective measures, including the implementation of antivirus software, adherence to a robust password policy, and the use of encrypted disks. Additionally, these devices should strictly feature a pre-approved list of software installations. This proactive approach ensures a secure and controlled environment for company hardware usage.

Strong Password Policy and Four-Eyes Principle:

Only work on computers officially registered by your company. For company computers, avoid using simple passwords or PINs; opt for alphanumeric combinations, at least 10 characters in length, and include special characters. Extend this to your phone PIN if work emails are set up. In an ideal scenario, consider employing password manager software to handle password generation (with no exceptions). Apply passwords to sensitive files like access databases. Implement a four-eyes control structure whenever possible, especially for domains and LinkedIn access. This precaution is particularly vital to prevent unauthorized access to essential platforms like your mailbox or website.

Centralize Personal Data Management:

All processes within your organization should exclusively access personal data stored in a single, designated location. Avoid dispersing client email addresses across various Excel sheets; instead, maintain a centralized repository that serves as the sole reference. If, due to software constraints, personal data needs to be stored in two or three different locations, ensure that such decisions are deliberate and well-documented. Create a comprehensive record of your personal data storage practices, outlining the where, what, and why. The “where” and “what” should be self-explanatory, and for the “why,” elucidate the specific processes for which the data is utilized. By adopting this approach, addressing client inquiries regarding GDPR portability, retention, and protection becomes more manageable. This proactive strategy streamlines responses and demonstrates conscientious measures taken to safeguard personal data.

Data Confidentiality and Folder Organization:

Maintain a comprehensive record of every business-related folder created for administrative tasks, assigning each a data confidentiality score. Recognize that the confidentiality level differs between folders storing client invoices and those containing expense information. It is imperative to assess and categorize the sensitivity of the data within each folder. I recommend a judicious division of your folder structure, especially with an eye towards future organizational growth. Certain folders, like those containing appraisals and salary information, demand heightened confidentiality and should not be housed within the same structure as client invoices. Although the current personnel managing salaries may also handle invoicing, organizational changes could necessitate a separation in the future. By structuring folders with foresight, you ensure that confidential data remains appropriately segmented, facilitating a seamless transition as roles evolve within the organization.

List Your Third-Party Providers and Rate Them:

Compile an Excel spreadsheet listing all your third-party providers, including telecom, internet services, accounting firms, and software providers such as Microsoft. Assign ratings for operational risk in the event of failure and the risk associated with the counterparty’s inability to deliver services. This assessment will aid in identifying potential vulnerabilities and ensuring a proactive approach to risk management.

Create Standard Policies such as “Anti-Bribery” and “Anti-Fraud”:

Develop and disseminate standard policies such as anti-bribery and anti-fraud within your organization. Utilize templates as a starting point, but ensure customization to align with your company’s values and operations. The key is to effectively communicate these policies across teams, fostering awareness and adherence to ethical guidelines. While answering RFPs, it will be useful to have them ready.

Develop Risk Management, Business Impact Analysis, and IT Security Policies:

This is probably the hardest point to implement, but every client will request it.

Risk Management Policy: Outline a comprehensive risk management policy tailored to your company’s specific needs. This policy should address risks associated with IT hardware, software, and third-party providers. Utilize an Excel sheet to list and assess risks, incorporating scenarios, severity, and probability ratings. Provide a remediation plan for each identified risk to mitigate potential threats. Be creative in scenario development to cover a broad range of potential issues, from hardware theft to third-party provider bankruptcy. For example:

Risk of laptop theft, risk of laptop hardware failure, what you do, what you lose? How do you retrieve data?

If your third-party provider for your accounting goes bankrupt, what do you do?

IT Security Policy: Define a clear IT security policy detailing accepted software, password protocols, encryption standards, hardware management practices, and data storage guidelines. Specify whether stored information is deemed confidential or not and articulate the procedures for data backup and restoration. Address access control mechanisms, detailing how access is managed and ensuring employee compliance. Also define security in place: Antivirus, disk encryption… Having Microsoft 365 business account will definitively help in managing some aspect of this procedure, there are many advantages that I can list if you private message me. By implementing these policies, you lay the foundation for effective risk management and IT security within your organization. Regularly revisit and update these documents to reflect evolving threats and organizational changes, fostering a culture of continuous improvement in security practices.

Take Cybersecurity Insurance and Professional Liability Insurance:

This will not protect you from hacking, but it will provide you with massive help from the insurance company in order to investigate the weakness used, the source of the threat, and also provide you a budget to rebuild your data. Professional liability insurance protects against damage done to your client while working on the delivery they ordered.

By implementing these steps, small third-party providers can enhance their compliance with DORA and fortify their resilience against cyber threats. Regularly revisiting and updating these measures will ensure ongoing compliance and security.