That’s outsourced so it’s not our problem… right?
Of course there are risks and benefits associated with both outsourcing and having functions conducted internally. These can vary from available expertise to cost or risk. However, many businesses make the mistake of thinking that by outsourcing something, the problems with that specific function simply disappear.
Recently, a website belonging to the Finish Enterprise Agency was severely compromised by a third party organisation, which had been subcontracted to maintain and secure the website. The third party organisation reportedly stored passwords in clear text, leading to the breach that is thought to have revealed the login credentials of 130,000 users. This is the third largest data breach in Finland to date in terms of the number of accounts compromised, according to the Finnish Communications Authority.
This happened in a different country so what does it matter?
Well, just because the example happened in Finland it does not mean that it could not happen to businesses within the UK. Cyber-crime is one of the biggest current threats to UK businesses, including SMEs in the current landscape.
This situation could affect any business that outsources any function, not just your website. What would be the impact to your business if a third party was breached? E.g. Payroll service provider, IT service provider, web hosts, HR function.
With the breach being caused by a third party, what can I do to protect my business?
One of the first things to consider is just how well you know your suppliers and how you are able to define their role in providing the outsourced functions.
As part of your business processes do you ensure that security checks are carried out when engaging with your supply chain?
These checks could be something as simple as credit checking the company, paying attention to accreditations such as ISO9001, or ensuring that they have a comprehensive privacy policy that is compliant with current UK data protection legislation. Or more extensive checks based around your security policies and procedures, or Government/ industry best practices e.g. Cyber Essential, ISO27001.
Do you have written Service Level Agreements?
Service Level Agreements help to define expectations by outlining exactly what the third party will and will not do for your business. This should be in addition to your contract and any standard terms and conditions.
It is important that your business and your customers’ expectations are understood and assured by all parties involved in your supply chain.
Do you audit your suppliers regularly?
Many businesses will allow you to audit them, or provide you with regular updates of how they conduct activities. Securing the supply chain is often about promoting transparency and managing the relationship between businesses.
This could be as simple as a checklist, standard framework, periodic account management or formal assessments and audit.
Whilst these are only some examples of how you can begin to secure your supply chain, we recommend that you take a look at the National Cyber Security Centre (NCSC) Supply Chain Guidance for further information.
If you would like any more help or information from Eventura, or to speak with us about the services we provide, please contact us.