If you rely on third parties – suppliers or service providers – to process your data, then you have a responsibility to check they have appropriate cyber security measures in place.
What is third-party data?
Any data collected by another business that isn’t directly linked to your customers or users is known as third-party data.
Why is risk-monitoring important for third parties?
When using third-party data, much of your cyber security risk may be in the hands of others. You need to understand these risks and be confident that appropriate cyber security measures are in place to protect your business and your customers.
The Information Commissioner’s Office advises that you should be choosing your providers with data protection in mind. Under General Data Protection Regulations, you’re responsible for any personal data that is handled by third parties that contract with you.
What do I need to do?
Identify all suppliers and service providers that you rely on. Use the following questions and answers as a guide for what to look for when assessing their cyber security.
If you’re concerned about any of their answers, you should insist on action before engaging with them.
FSB members can call FSB Cyber Protection for further advice and guidance.
1. Does the third party have the Cyber Essentials or Cyber Essentials Plus certification, and if so how current is it?
Cyber Essentials certification shows that the provider has a basic understanding of cyber security issues and the main controls. If they don’t already have this, you may want to insist on this before you engage.
Other standards that are relevant are:
- Payment Card Industry (PCI) compliance for credit card data.
- ISO27001 for information security management, which is a good indication that they take security seriously.
2. Have they experienced cyber security incidents in the past, and if so, how often? What was the severity of those incidents and the quality of their response?
If they had an incident, what was learned from it and how was security improved?
3. Does the third party maintain cyber security policies, such as a written security policy or plan?
Absence of any plan or cyber security policy suggests they do not understand the issues, so the risk of using this third party is high.
4. Does the third party undertake background screening of employees?
If employees are screened this increases your assurance.
5. Do they implement human resources practices, such as cyber security training, and how do they handle employee terminations?
If processes are in place to support this, then the risks of compromise and insider threats are reduced.
6. How do they control access to their data? Do they have internal controls in place that restrict access to information and that uniquely identify users so that access attempts can be monitored and reviewed?
If they do not have any access controls, then the risk of a cyber security incident is much higher. Also, if no logs of access are maintained you will struggle to investigate any incident that does occur.
7. Check their encryption practices. Is information encrypted at rest? Is the information transmitted to or from the third party properly encrypted? Are cryptographic keys properly managed?
Data described as being ‘at rest’ refers to static data which is not currently being transmitted. For example, database traffic may be encrypted during transit over a network but not whilst ‘at rest’ on its main database server.
You should insist that any data you exchange with the third party is encrypted in transit and also encrypted at rest (i.e. on a disk or in a database).
8. Where the data will be stored?
If the third party uses cloud or hosting services then your data may be stored outside the UK. This is especially important if any of the data is personal data, as data protection laws require this to be stored in approved countries.
9. What physical security measures do they have in place? How do they use personnel and technology to prevent unauthorized physical access to their facilities?
If any backups or servers are kept in unsecured locations (such as their offices) then your data may be stolen by thieves.
10. What back-up and recovery practices do they follow?
It’s important that you check that the third party has robust backup solutions in place.
11. How do they keep their software up to date?
A responsive and thorough software update process reduces the risk of cyber incident via vulnerable software.
12. How does the third party manage risks in their own supply chain?
The third party should ideally have cyber incident processes in place and be aware of the risks from their own supply chain.
13. What are their incident response plans? How is evidence of an incident collected and retained so as to be presentable to a court? Does the third party periodically test its response capabilities?
In the event of a cyber security incident, you want to know that the third party will be able to investigate promptly and thoroughly.
14. Do they conduct regular, independent audits of their privacy and information security practices?
This is something you should insist upon.
15. Do they have cyber insurance?
You should ask for the details of their insurance. Just as you expect them to have fire insurance and property insurance, ask your vendor to have cyber security insurance so they can financially recover quickly and be a strong ongoing partner.
You don’t want your business to be damaged by a significant security issue at their company.