Recent high-profile cyber-attacks on New Zealand institutions such as the Reserve Bank and Waikato District Health Board have made many businesses aware of the significant and detrimental impact that a successful cyber attack can have on its ability to operate. It has also highlighted the importance of cyber security.
Contracts with IT Providers
It is widely accepted that secure IT systems and good data security are critically important to keep commercial, confidential and personal information safe - and the business operating. Contracts with IT providers are in the spotlight and cyber security is now a requirement for every business to protect their IT systems and data.
For secure IT systems, some key considerations for businesses to keep in mind when entering into contracts with IT providers include:
- The presence and extent of data encryption.
- Access controls (from a system access point of view).
- Regular penetration testing and reporting.
- Frequency and extent of data back-up procedures.
- The ability to conduct regular security and system audits.
In addition, for a business to be adequately protected, contracts with its IT providers should include specific obligations / warranties that the system or component provided does not include malicious software or backdoors, meets stringent security standards (discussed above) and complies with the relevant law. Businesses should also seek appropriate liability caps for loss or destruction of data (this is often unlimited or a supercap).
Policies & Practices
An organisation should adopt an appropriate IT policy (including the use and security of data and IT systems) to ensure safe and secure data and IT practices are followed by all employees and people who have access to the business’ IT system.
A policy might include:
- User access controls (multi-factor authentication).
- Background checks on employees and other users who have access to business data and IT systems.
- Guidelines relating to passwords, such as hard-to guess password conventions and implementing processes to prompt users to change passwords frequently.
- A clean desk policy in offices and when working remotely, mobile device management etc.
Good data and cyber security supports businesses to develop customer trust, build strong trading relationships and (importantly) to comply with the law.
If you need further advice on what to look for in your IT contracts, how to ensure your business has the tools it needs for good cyber security and information about your legal obligations, please contact me or Edwin.