While acts of negligence or simple human error are often the cause of a data breach, as your third-party network expands, the room for error also broadens. And in the case of a rogue employee, who has access to key applications, storage systems and valuable data makes them potentially riskier than outside cybercriminals, trying to break in through malware or viruses.
With this in mind, Experian’s latest Whitepaper ‘Supply chain risk: The hidden threat to British businesses’ has revealed that when it comes to security auditing, businesses are not always carrying out frequent or stringent checks and could be putting themselves at preventable risk.
While our latest research has shown that of the organisations we questioned (from medium/ large UK businesses) 60% carry out vetting of key individuals within all third-party suppliers. But what about the remaining 40%? Also of concern is only 28 % of organisations vet key individuals within some third-party suppliers. But what about the other vendors in your network that aren’t being vetted? And why only ‘key individuals’. Contractors and part-time staff, as well as directors and managers, can be thoroughly vetted with the right access to key support services. The opportunity is to include this key activity within your security auditing procedures – clearly determining when you believe this vital activity should take place to help you reduce this vulnerability to your business.
Simple steps, such as carrying out regular background checks on employees and contractors, can put an organisation in a stronger position – and help keep its customers safe. Our findings on this topic have outlined that only 29% of businesses carry out vetting of key individuals within third-party suppliers quarterly. Most businesses (94%) are doing this once a year. Interestingly, it’s the organisations that have suffered a breach and have the wisdom of hindsight that are investing in more frequent employee checks.
As well as background checks and screening, it’s also wise to limit access to sensitive data to those who absolutely need to see it. And this policy should be the same throughout your third-party supply chain. Maintaining this procedure within a central governance process will ensure you have clarity across your estate and related third parties.
Here are five steps that businesses can take to minimise their supply chain risk:
- Diligent background checks and screening of individuals.
- Verify security practices and procedures of vendors, suppliers and partners
- Implement centralised governance for I.T. procurements
- Limit access to data in all your networks
- Frequent data cleanses and quality checks
Withstanding a data breach:
To withstand a data breach, organisations need to know where their sensitive data is – and more importantly, who has access to it. Viewing your supply chain as an extended team can help integrate this as part of business process. If background checks are carried out on your own staff, you can look at ways to integrate or make sure the same is carried out throughout your vendor network. The standard of compliance needs to be yours, not theirs. With a holistic approach, you will be more in control of your security – and this results in improved safeguarding of customers’.
If you need support preparing in advance for a data breach in line with GDPR notification requirements learn more here – Know, Prepare Recover: www.experian.co.uk/databreach