Data breaches and third-party suppliers

Whilst business models become increasingly complex, so do the exciting opportunities to deliver better value and services to customers. The need for expertise or support services from a third-party supplier adds a dimension to the scenario and potentially poses a heightened security risk to both the business and its customers.

It’s a conundrum that every business has to confront. Whether you have a large or small third-party supplier network, employees that are not directly known to you, may as part of their work gain access to highly sensitive data. One way to reduce this risk is making sure the necessary business due-diligence and background checks of individuals is carried out up front to support your efforts in reducing the risk of losing personally identifiable information.

Our latest whitepaper investigating this topic Supply chain risk: Taking control of risk and vulnerabilities has unearthed that one of the key risks businesses are concerned about is the loss of personal information via a third party. If businesses don’t know where their customer or employee information is stored or managed, how can they ascertain who has access to it? If organisations carry out a 360Ëš view of your supply chain security, this could go a long way to minimise the risk and exposure from a potential data breach.

Our new research has identified four of the highest risks businesses are concerned about when using a third-party supplier:

  • Loss of personal data
  • Online fraud
  • Identity theft
  • Financial loss or damage

With loss of personal data being named as the highest risk, and with businesses saying they do not always carry out the necessary rigorous security auditing, there is an opportunity to change and manage potential data breach threats. Overall, only 49% of the businesses we surveyed (UK Medium/ Large) carry out security audit questions with their third-party suppliers. That means that more than half of businesses don’t take advantage of this preventative measure. And yet, it’s a simple way to obtain visibility and monitor weak points in the supply chain.

Organisations say they’re conducting other testing, such as: data transfer audits (43%), network vulnerability tests (41%), penetration server testing (36%) vetting of individuals (34%) and site visits (33%). However, these statistics demonstrate that businesses have an opportunity to do more in this area. With EU, General Data Protection Regulation (GDPR) soon to be mandated, this means businesses need to put further focus on data quality and how personal data is being managed. This is a good time to reinvigorate assessments carried out with suppliers to further support efforts to get in control.

Here are some important points to have in mind when working with a third party:

  • Regard your supplier network as part of your extended team
  • Get to know who is in your supply chain has access to your data – and why
  • Be mindful that data quality and management, as well as loss is a crucial component of GDPR and needs a readiness plan
  • In the event of a data breach, work out well in advance who is in control and would manage the notification to both customers and the authorities

A final, but significant point, is that consumers rarely make the distinction between you and your third parties. If a data breach occurs and their personal data has been lost, it’s unlikely your customers will be chasing your supplier or vendor; rather they’ll be looking to you for answers and support. By getting to know your suppliers better, you’re not only closing your risk gap, but forging stronger relationships and prioritising what’s important, safeguarding customers.

If you need support getting ready for a data breach notification in line with GDPR learn more here – Know, Prepare Recover: www.experian.co.uk/databreach