Information Security Best Practice: what to look for when choosing a consultancy partner
Your business takes its cyber and information security obligations seriously. But can the same be said of your partners? When appraising potential consultants and service providers, these are the trust indicators to look for.
Avoiding exposure: What makes a technology consultancy a potential infosec weak point?
What attributes do you look for when choosing a consultant to work with? Inside-out knowledge is a must-have. So, too, is responsiveness; you need a partner who ‘gets’ what you need and will work with you to deliver it. And especially when it comes to digital transformation, most decision-makers also want to see clear evidence of program success: “This is a significant move for our company, so can this consultancy actually deliver what we are aiming to achieve?”.
Alongside this, information security is a further area you need to look closely at. With any technological consultancy arrangement, there is an element of handing over the keys to the kingdom or, at the very least, a back-and-forth flow of some sensitive information. Depending on the project, your partner will need detailed information about – and often, direct access to – critical systems, processes, and data.
Threat actors are all too aware of this. They know that when they successfully infiltrate a professional services provider, IT consultancy, or software implementation partner, it potentially opens a rich treasure trove, exposing sensitive data relating to each and every one of their target’s clients.
According to Security Magazine, third-party attack vectors are responsible for 29% of all breaches. Three quarters of these third-party breaches are linked to software products and technological services.
An estimated 60% of organisations use cyber security risk as a key factor when determining transactions and business engagements with third parties, which suggests that a significant minority may be failing to give it proper thought. When it comes to technology projects and process transformation, this risk needs to be on the radar of every business.
So how can you tell if a particular consultancy takes cyber risks and information security seriously? Here are the areas to focus on…
They Have the Right Accreditations
To understand your business, your consultant will need to see items such as your business process maps, details of internal procedures, information on existing system priorities and vulnerabilities, and more general information linked to your future and growth strategies. Once the project is underway, they may need to move or process segments of your data across multiple locations or export it for analysis or testing. Obviously, you do not want this to fall into the wrong hands.
Look for consultancies that have been independently verified as having what it takes to keep your information safe. Probably the single most valuable trust indicator here is ISO 27001. If your consultant has an up-to-date ISO 27001 certification, it shows they have an effective ISMS (information security management system) in place. This means the following:
- The consultancy has identified the risks to which its information assets – and clients – are exposed.
- It has appropriate measures (i.e., controls) to protect those assets.
- It has a clear action plan in case of an information security breach.
- It adheres to clear accountability and auditability principles: i.e. you know exactly who the individuals responsible are for each step of the information security process.
They Embrace Security by Design
Security by Design (SbD) means that security is considered an integral part of a project at the beginning rather than being layered in later as an afterthought. It means that appropriate security measures are hardwired into new systems or processes at the outset, helping you avoid costly-post-deployment security fixes.
You can learn a lot about whether a particular consultancy takes SbD seriously by the questions they ask you as part of any initial needs appraisal process. The main point of this is to establish how you operate, what you want to achieve, and what needs to be done to help you reach your goals. At the same time, however, an SbD-focused consultant should also explore areas such as the nature and sensitivity of the data you hold, who need access to it, and details of any specific regulatory frameworks that apply to your business. Right from this early encounter, a consultant should consider the information security risks your business faces and factor them into their proposals and recommendations.
They Maintain Appropriate Safeguards
It’s easy for a business to claim that they prioritise information security. The proof is in the action they take. If a consultancy takes its responsibilities seriously, you should expect to see the following types of safeguards in place:
- The consultancy has an information security policy in place
- Regular security audits and risk assessments are carried out
- They follow a recognised information security framework (e.g. ISO 27001). They have up-to-date accreditation to demonstrate this
- There are clear measures in place to protect client data, including encryption for data at rest and in transit, access controls, and secure storage
- Special care is taken with personally identifiable information (PII) and other categories of sensitive data. This includes GDPR compliance
- If they need to do system or application testing using PII, this is anonymized or pseudonymized beforehand
- Access to client systems and data is closely managed. This includes the application of the principle of least privilege (PoLP)
- Auditability is taken seriously: they can track and log consultant access to client environments
- Care is taken to revoke access after project completion
- Appropriate DevSecOps practices are followed for software implementations
- Incident response and disaster recovery plans are both in place and verifiable. This includes clear procedures for notifying clients in the event of an information security breach
Millennium Consulting: De-Risking Your Business Transformation Journey
Reputation counts for a lot when it comes to information security. The same goes for longevity.
In its 30-plus years of operating, Millennium Consulting has delivered significant business transformation projects for hundreds of organisations, including businesses in some of the most tightly regulated sectors out there.
Our approach to information security is a big part of our success and longevity. Far from being an afterthought, cyber and infosec best practices are hardwired into everything we do.
To discover more about de-risking and successfully transforming your business, speak to us today.
Millennium Consulting Awarded ISO27001 & ISO9001 Certification
January 2025
Updating and re-validation of our ISO 9001 & 27001 certification to the globally recognised UK Government UKAS standard. The ISO 27001 certification now aligns with the latest ISO 27001:2022 standard.
