Third party suppliers and data security; are you managing your risk?

Just this morning, we’ve seen the publicity regarding the contractor breach exposing 50,000 Aussie government and bank staff records. And recently, much media attention was given to the theft of confidential technical information about new fighter jets, navy vessels, and surveillance aircraft from an Australian defence contractor.

Discussion concerning the defence contractor’s data breach has put the spotlight back on the task of mitigating security risk along the supply chain with third party suppliers.

However significant breaches involving third parties have been occurring for some time and many organisations continue to allow this risk to remain unaddressed.

As all organisations work with third parties and the need to outsource non-core functions grows, so do supply chains. Wherever those parties have access to your data and information, you have less control therefore the risks need to be actively managed. Hackers are looking for easy access points so it’s possible that third party suppliers may be your weakest link.

In concluding an investigation this year into the Australian Red Cross Blood Service’s breach involving a third party, the Australian Information and Privacy Commissioner, Timothy Pilgrim commented “This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures.”

Managing risks with your supply chain and third party suppliers is a challenge and does involve a series of points to investigate, prioritise and address.

We suggest you talk with your suppliers and consider

  • What data and information do they have access to? Is it sensitive?
  • Do they understand how you expect them to handle that data and information?
  • Have you made the relevant security policies and procedures available to them?
  • Have they formally agreed to your security policies and procedures?
  • What security policies and procedures of their own do they have in place to protect data?
  • Is there a “supply chain” to be aware of where your third parties outsource work to other third parties that you have no relationship with?

Within your organisation consider whether

  • Your procurement team has included data security requirements in contracts with third party suppliers
  • There is a regular review of security arrangements written into contracts – much can change over a contract period of say, 3 years
  • You have provided adequate training and oversight to third party suppliers to enable them to “get it right”
  • Your risk mitigation plan includes data security risks when working with third party suppliers
  • You have identified the most vulnerable points in your supply chain
  • You understand the ramifications and impacts, if a breach were to occur

You can take steps to protect your organisation from a data breach now by asking the above questions, updating your security policies and procedures to include third party risks, and ensuring effective implementation.

If your team doesn’t have the time or skills to do the work, ROI Solutions can assist. We have considerable expertise with policy documentation and implementation.  Please contact us to discuss on 0414 702 163.

Published on LinkedIn, Nov 2017