‘Here be Dragons’: the risks of outsourcing data to third parties
Businesses have been stung by not having appropriate supplier checks or contracts, warns Brodies LLP
We live in what would, to our 10-year-old selves, have seemed liked a science fiction future. An amazing inter-connected world where goods and services are just a few clicks away, the sum total of human knowledge is available from your smartphone, and in which, thanks to the internet ‘intelligent’ fridges
will soon be able to order our groceries. However, with that flexibility and convenience come new opportunities for criminals and hackers, and the need for a much greater awareness of security.
As organisations become more focused on their value-add to customers, technology makes it ever-easier to outsource non-core activities to third parties. Modern businesses rely heavily on outsourcing, whether for software development, cloud computing or even legal services. However, each time access to your data or to your premises is granted, whether onsite or via a remote data centre, risks can arise.
While modern technology enables flexibility, it creates new weaknesses, often in unexpected ways. A pertinent example was the data breach suffered by the US high street retailer Target in late 2013, in which millions of its customers’ payment card details were stolen by hackers. The criminals stole the login credentials of a third-party supplier that looked after Target’s refrigeration, heating, ventilation and air conditioning systems. The network access the supplier had been granted to maintain these systems ultimately allowed hackers to install malware on card readers in Target’s shops to harvest customers’ card details. The direct cost to Target as of late 2015 was somewhere in the region of $162 million, plus a further $90 million in insurance claims, and significant damage to its brand.
So how do you protect your business from third party supplier risk? Firstly, make sure you set out clearly what you are responsible for in any contract with people whom you supply. Make sure you do the same with your own suppliers’ contracts and provide minimum standards and suitable indemnities for any loss or compromise of data you provided to them, and indemnities relative to your systems should some- thing go wrong. Though relatively new, cyber cover will become as common as property or business interruption insurance and will mitigate the cost and impact of cyber breaches.
If you grant access to your premises or systems, restrict what the supplier can do using a “least privilege” approach – they should have access to carry out their contracted duties, but nothing more. Ensure that staff are vetted and trained in data security, and that they are aware of your own policies. Finally, audit your suppliers. Each supplier is different, and your sandwich provider will obviously require a different level of scrutiny to your payroll or data centre provider, so assess the risk on a case-by-case basis. Look for evidence of compliance with recognised industry standards, such as ISO 27001: 2013 or Cyber Essentials Plus, which demonstrate a mature approach to security in their business.
While this new world is exciting and fast moving, there is also a potential for damage to the reputation, and even the existence, of your business. Like the pioneering ancient mariners who explored uncharted territories adorned with sea monsters on their maps, heed the warning – Here Be Dragons.
Damien Behan, IT Director, Brodies LLP and Alisdair Matheson, Partner, Dispute Resolution & Litigation, Brodies LLP. For more information, contact Alisdair on 0141-245 6762 or at firstname.lastname@example.org.
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…