Enabling partners in a supply chain to share information and collaborate is crucial to a contracting organisation’s agility and competitive edge. However, once sensitive and confidential data or IP leaves that organisation’s central systems it is at risk of exposure to cyber security threats and access by unauthorised users.
Supply chains have evolved into supplier ecosystems that are increasingly lengthy, fragmented, complex and geographically dispersed. Each third party will have its own security framework, and take different measures to protect information against cyber attacks.
At the same time, every business is vulnerable to the ‘insider threat’. Human error, such as someone clicking on a malware-infected link in an email, and poor practice, for example PCs being left unlocked, can happen anywhere.
The increased mobility of today’s workforce also exposes data to loss of theft: employees are handling many different types of data over a variety of devices, systems, platforms and networks.
Organisations must have control of their data at all points on its journey through third party hands – and the controls applied must not impede the flow of information or ideas, or make processes impractical. The answer to protecting information lies in a data-centric approach to reducing third party risk.
Once any security gaps have been identified, you need to review the policies and procedures that set out how different types of data must be handled and controlled, amending existing policies and introducing new ones as necessary. They should be workable, clearly defined and documented in straightforward language.
Policies could set out, for example:
the corporate-approved tools and technologies that must be used, and when they should be updated
rules for the length and complexity of passwords
the requirement for auto-lock/self-destruct for lost or stolen devices.
Share the policies with all partners and contractors, and enforce them by writing requirements into third party contracts. Consider applying penalties for failures to meet these.
Writing requirements into contracts goes only part of the way to making sure policies are adhered to. Employees are often unaware of their specific role in preventing data breaches or loss, and as a result they can unintentionally put it at risk.
Put standardised staff security training programmes in place, and extend them to partner and contractor teams. This will ensure that every business in the supply chain is aware of its duty of care in protecting the data they handle on your behalf. Alongside ensuring that all third parties follow the same best practice, this will increase supplier engagement.
Programmes should educate users in understanding the specific risks and threats to the data, their responsibilities in protecting it, the policies and procedures they must follow, and how to apply any tools provided to them.
You might be well prepared for the upcoming EU General Data Protection Regulation (GDPR), but a study carried out by Apricorn has found that 17 percent of organisations have no plan in place for ensuring compliance.
GDPR legislates for uniform and comprehensive controls that protect the personal data of EU citizens. To avoid compromising the personal information of customers and employees, and avoid being fined for failing to comply with the legislation, it is not enough to ensure that good data protection is a foundation of your business policy and practices. You also need to demand that suppliers and partners can demonstrate the same.
Make it a contractual obligation that they are able to trace all personal identifiable information (PII) that belongs to your organisation, and document where it resides and how it’s stored, retrieved and deleted. Ask for evidence that they are limiting the data they hold – deleting everything that is not required for operations – as well as who is authorised to access it. Identify any areas of non-compliance, and demand that these are addressed immediately.
The encryption of data should be a key element of the security strategy. This will render information unintelligible if it does fall into the wrong hands – balancing security with availability.
Encryption is specifically mandated by Article 32 of the GDPR as a means to protect personal data. The framework also states that an organisation which has implemented encryption is exempt from having to contact each individual affected in the event of a breach, allowing it to avoid the resulting administrative costs.
It is possible to prevent risk exposure in supply chains without compromising efficiency or productivity. By working to understand where the liabilities are, and taking proactive steps to address them, organisations can turn third parties from possible security risks into powerful security assets.
Organisations need to look wider than hackers and disaffected employees if they are to manage cyber security effectively. In this extract from his book on Cyber Security aimed at non-technical executives, …