When preparing to start working with a new supplier they will tell us what’s great about them and how they can help us... but what we do to ensure we understand their organisation and their supply chain can be crucial.
We often ask them questions about how they secure their systems and deal with our data so we can gauge how secure they are; but do you think about their supply chain?
Their partners, subcontractors, processors and hosting companies could be inadvertently putting you at risk if your supplier has not carried out appropriate due diligence themselves. This can be especially important if they have access to your organisation’s sensitive company data, the personal data of your employees or even customers.
If there was a breach involving your data, this could affect your business’ reputation, ability to operate or could get you into hot water with the Information Commissioner if personal data has been compromised.
On the 29th April 2017 Debenhams confirmed they were contacting 26,000 customers whose data they believe was compromised in their supply chain. The supply chain can often be a much easier way for intruders to access organisation’s data, as suppliers can be smaller and less prepared.
However there are steps you can take to protect against such risks or, at the very least, do everything that can be expected to ensure information security and data protection. Your customers and regulators will be much more understanding if you can demonstrate that you did everything reasonably possible to prevent the breach and in turn this could reduce the risk of a large fine should the worst happen.
The following simple steps will help you do this.
First do your due diligence on your suppliers; this can be crucial to you understanding and checking that suppliers have appropriate security and data protection controls in place. If they have good standards they will understand it is also necessary that their suppliers do too. If appropriate, it is a good idea to do this as part of any tender or before you commit to a contract.
This will also provide you with vital evidence to prove you have made appropriate checks, should there be a breach, which can be crucial when the Information Commissioner is deciding on action to be taken or the value of any fines. If you can demonstrate you have done everything that was reasonably possible, this can reduce the risk of a fine or significantly reduce any fine issued. This process will also increase your confidence in the security of your supply chain and provide evidence of your GDPR compliance.
A supplier questionnaire is a great tool to carry out your due diligence. Formulate a list of questions you want to pose to your suppliers regarding topics like:
- Data Protection.
- Security policies, controls and responsibilities within that organisation.
- IT systems, web security and controls used to protect from compromise including:
- Access controls; define acceptable login parameters such as password complexity, lockouts after so many failed logins etc.
- Two factor authentication from the internet
- Brute force prevention controls
- SQL injection prevention controls etc.
- Compliance with standards and legislation e.g. ISO27001, Data Protection, Payment Card Industry (PCI), Cyber Essentials and GDPR.
- Visitor procedures and access control to their buildings, systems and your data.
- Who are their suppliers, partners, processors or hosting companies.
- Confirmation of the due diligence they have carried out with their suppliers.
- The location of your data, both geographically and within their network.
- Disposal of data, paper and IT equipment and compliance with required standards.
- Access to their network from the internet and how that is secured.
- How their staff are trained in Information security and Data Protection and how often this is refreshed.
- Employee vetting process, i.e. qualifications, references, criminal record check if applicable.
- Business continuity/disaster recovery or resilience arrangements.
- Back up arrangements i.e. how often, backup encryption, secure transportation and storage.
- What encryption is used on hard drives, in transmission or on websites and is it compliant with relevant standards.
- Ask for copies of relevant policies i.e. Information Security, Data Protection, risk management, incident management.
- Always ask them about any incidents in the last 5 years and how they dealt with them. The ‘how’ can be the most important bit, but if they dealt with it well, that’s a good thing.
Most importantly, ensure they commit to carrying out the same level of due diligence with their suppliers and hosting/cloud service providers as they do with their own data. If appropriate, ask to see the due diligence or seek a written assurance that it has been carried out.
Risk Assessment and Mitigation
Once you receive the returned questionnaire and accompanying documents, assess their security and any weaknesses identified and specify improvements that you require them to carry out pre-contract. Define the mitigation you will find acceptable, along with expected timescales. It is recommended to get the supplier to formally acknowledge acceptance of the required improvements and confirm timescales. If possible, it’s always best to deal with weaknesses before the contract commences or any data is shared.
If you operate a risk management process such as ISO 27001, the risk assessment and questionnaire is a great input to your risk register to ensure risk is managed effectively.
Contract/Non-Disclosure/Data Protection Agreement
Ensure you have a well written contract, or supplementary agreement, that covers responsibilities of you, your suppliers and their supply chain. Be specific with regards to data protection, information security and breach management requirements and ensure you cover the full lifecycle of the data up to the end of the contract, or beyond if necessary. You may also want to include a remedies for breach section, in case there is a breach, and a mandated requirement for them to inform you of any breach or security compromise within 24-36 hours,as you may need to notify the Information Commissioner within 72 hours. It can be helpful to list the mandatory security requirements in an attached schedule, so it can be appropriately tweaked for different contracts without affecting the actual legal agreement. Such agreements will be expected for GDPR to demonstrate appropriate controls have been agreed.
Consider a site visit to significant suppliers’ offices or data centres to obtain a level of comfort about their security and practices. If a part of their supply chain is key to your relationship, consider a visit to them. There is no substitute for validating that the security controls are effective by seeing them with your own eyes.
You will need to be pragmatic, as it won’t be possible or, in some cases, necessary to audit every supplier, therefore you will need to prioritise based on the level of risk. If nothing else, you may want to reserve the right to carry out a site visit during the contract to keep them on their toes!
Once your due diligence and legal agreements are finalised, make sure you regularly monitor your contractual arrangements. Consider regular meetings, spot checks or regular checks that will assist you in ensuring there are no issues to be resolved or emerging risks you could mitigate before it’s too late. Always enquire if there have been any issues in their supply chain.
Remember to document everything and keep copies of supplied supplier information. These will form part of your compliance evidence for regimes such as GDPR and ISO27001.
Depending on the supplier and the service they provide, you will need to adapt your due diligence to the risks and data involved. Not all scenarios will need the same level of review. Similar exercises can be prudent during tender processes or systems purchase.
Managing your supply chain well can be crucial to the reputation and effective operation of your business. It reduces risk, maintains good security and protects you and your customers from incidents relating to their data. It helps you by increasing your confidence in your supply chain and assists with documenting your compliance with legislative requirements, which can be essential should you be unfortunate enough to suffer a breach or incident.
It’s all about reducing risk and getting rid of weak security links while retaining an effective process that works for the business.
Remember you are only as good as your weakest link. Prevention is always better than recovery!