5 ways to reduce third party risk in the supply chain
4 April 2018
Jon Fielding, Managing Director EMEA, Apricorn
Enabling partners in a supply chain to share information and collaborate is crucial to a contracting organisation’s agility and competitive edge. However, once sensitive and confidential data or IP leaves that organisation’s central systems it is at risk of exposure to cyber security threats and access by unauthorised users.
Supply chains have evolved into supplier ecosystems that are increasingly lengthy, fragmented, complex and geographically dispersed. Each third party will have its own security framework, and take different measures to protect information against cyber attacks.
At the same time, every business is vulnerable to the ‘insider threat’. Human error, such as someone clicking on a malware-infected link in an email, and poor practice, for example PCs being left unlocked, can happen anywhere.
The increased mobility of today’s workforce also exposes data to loss of theft: employees are handling many different types of data over a variety of devices, systems, platforms and networks.
Organisations must have control of their data at all points on its journey through third party hands – and the controls applied must not impede the flow of information or ideas, or make processes impractical. The answer to protecting information lies in a data-centric approach to reducing third party risk.
Also of interest: Who owns your data?
Track all data journeys to pinpoint weak links.
Conduct a comprehensive audit of all of the data that is shared with suppliers and partners. You need to establish their security posture by finding out:
- What data is shared with suppliers, and for what purpose.
- How they store, process and use it.
- Where it resides – for example, is it stored in the cloud at any point?
- Who has access to it, and why.
- What security controls are placed on it.
- Where it flows downstream – do they share it in turn with sub-contractors or other third parties?
This exercise will help you identify any points at which data may not be sufficiently protected, so you can address these with tools, technologies, policies and processes.
Audits should be repeated at scheduled intervals, to safeguard data as projects progress, relationships evolve and regulations change.
Also of interest: Phishing - what's next?
Extend policies to all endpoints.
Once any security gaps have been identified, you need to review the policies and procedures that set out how different types of data must be handled and controlled, amending existing policies and introducing new ones as necessary. They should be workable, clearly defined and documented in straightforward language.
Policies could set out, for example:
- the corporate-approved tools and technologies that must be used, and when they should be updated
- rules for the length and complexity of passwords
- the requirement for auto-lock/self-destruct for lost or stolen devices.
Share the policies with all partners and contractors, and enforce them by writing requirements into third party contracts. Consider applying penalties for failures to meet these.
Also of interest: China's altering of vulnerability data
Build awareness and accountability.
Writing requirements into contracts goes only part of the way to making sure policies are adhered to. Employees are often unaware of their specific role in preventing data breaches or loss, and as a result they can unintentionally put it at risk.
Put standardised staff security training programmes in place, and extend them to partner and contractor teams. This will ensure that every business in the supply chain is aware of its duty of care in protecting the data they handle on your behalf. Alongside ensuring that all third parties follow the same best practice, this will increase supplier engagement.
Programmes should educate users in understanding the specific risks and threats to the data, their responsibilities in protecting it, the policies and procedures they must follow, and how to apply any tools provided to them.
Also of interest: Breaking into the mind of a hacker
Check that they’re ready for the GDPR.
You might be well prepared for the upcoming EU General Data Protection Regulation (GDPR), but a study carried out by Apricorn has found that 17 percent of organisations have no plan in place for ensuring compliance.
GDPR legislates for uniform and comprehensive controls that protect the personal data of EU citizens. To avoid compromising the personal information of customers and employees, and avoid being fined for failing to comply with the legislation, it is not enough to ensure that good data protection is a foundation of your business policy and practices. You also need to demand that suppliers and partners can demonstrate the same.
Make it a contractual obligation that they are able to trace all personal identifiable information (PII) that belongs to your organisation, and document where it resides and how it’s stored, retrieved and deleted. Ask for evidence that they are limiting the data they hold – deleting everything that is not required for operations – as well as who is authorised to access it. Identify any areas of non-compliance, and demand that these are addressed immediately.
Also of interest: Security by design - what you need to know
Encrypt all business critical and sensitive data.
The encryption of data should be a key element of the security strategy. This will render information unintelligible if it does fall into the wrong hands – balancing security with availability.
Encryption is specifically mandated by Article 32 of the GDPR as a means to protect personal data. The framework also states that an organisation which has implemented encryption is exempt from having to contact each individual affected in the event of a breach, allowing it to avoid the resulting administrative costs.
It is possible to prevent risk exposure in supply chains without compromising efficiency or productivity. By working to understand where the liabilities are, and taking proactive steps to address them, organisations can turn third parties from possible security risks into powerful security assets.