You know the vital importance of adopting cyber security measures. You’re fully aware of how crucial it is to protect your business and that includes its reputation and its sensitive data.
You’ve quite rightly, and shrewdly, taken steps to install systems and processes to reduce the risk of technology failures that could open the floodgates for an attack. You’ve put in place a comprehensive educational programme for staff so that the human risk element is covered. You’ve even secured everything physically as well as digitally.
But are you missing anything? No? Are you absolutely certain?
Many business owners take fundamental steps towards cyber security so that everything inside the business is protected as best it can be. But what about OUTSIDE the business?
A lot of businesses these days outsource to third parties. Freelancers; contractors; agents: it’s a common way to deliver products and services, particularly when you’re in an industry that experiences peaks and troughs.
The thing is, any business that shares access to its sensitive data with third parties faces significant risk. If your business deals with freelancers, contractors or any other third parties then you will need to consider the importance of casting your cyber security net wider so that you can be sure you are not missing any potential weak spots outside of the walls of your business.
Be Sure to Set Policies for Third Party Suppliers
When you engage the services of a freelancer or contractor, do you request to see their own data security policies? Do you ask them to sign an agreement that protects you in the event of a data leak or other type of security breach emanating from an error or negligence on their part?
Your terms and conditions for third party suppliers must incorporate clauses that cover the steps you expect them to take to safeguard your data.
Any third party that is privy to your clients’ or employees’ data should be expected to take reasonable steps to protect that data. These steps could include ensuring all devices used to process data are password protected and armed with up to date virus protection and firewalls; that security updates are installed in a timely fashion, and that devices and any portable storage are physically secured when not in use.
The agreement should also state that any compromise of your company data should be immediately reported to you, for example loss, theft or unauthorised use of a device.
Be Prepared with an Action Plan
Following on from these policies and agreements, your organisation needs to have processes in place to deal with any breach. So for example you’re going to need to be ready with an action plan to handle situations where a freelancer’s laptop is left on a train, and that laptop contains details of your customers; or where a contractor’s iPad used to access your systems has been infected with malware.
If you’re not prepared for such occurrences then you need to make arrangements with your IT providers without delay. It always pays to plan ahead rather than firefight once an incident has already occurred.
You’ll need to be particularly careful where third parties are provided with access to your systems via their own devices. It’s best to introduce an arrangement that is similar to a BYOD (bring your own device) policy. The Information Commissioner’s Office (ICO) has some useful guidance on this subject.
The guidance highlights the seventh principle of the Data Protection Act which says, “Appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.” This basically means that sufficient security should be in place in order to protect personal data being accidentally or deliberately compromised. It says this applies if personal data is being processed on devices which you may not have direct control over.
Remember that in the event of a breach, the ICO is going to be looking for evidence that you took all practicable steps to protect your data.
Time for a Cyber Security Review?
At IQ in IT, cyber security is our core priority. We work closely with businesses to make sure ALL their in-roads are secured so as to provide the best, most sophisticated levels of protection possible. To request your cyber security review, please get in touch.