Could you be vulnerable to a supply chain breach? Here’s what to do about it

Data breaches along a company’s supply chain can lead to fines, loss of trust and suspension of vital operations. So why is this risk still overlooked?

By Nigel Jones

Co Founder of The Privacy Compliance Hub

July 2023

When the secure file transfer tool MOVEit was hit by a cyber attack earlier this year, the impact was felt far and wide. In the UK, British Airways, Boots, the BBC, Aer Lingus and Shell have all revealed they’ve been affected. Experts estimate as many as 200 organisations around the world and 17.5 million people may have been caught up in the data breach. 

Supply chains are a tempting target for criminals looking to exploit vulnerabilities of multiple businesses at the same time. By their very nature, supply chains are often long and unwieldy, stretching across geographies, with little visibility into potential threats. When a data breach does occur, it can be challenging to find the source, which slows the response time and maximises the impact a criminal can have. Only 47% of organisations say they share knowledge about ransomware attacks with suppliers.

As with MOVEit, the domino effect can be significant. A data breach along your supply chain can disrupt vital operations, damage the relationship and trust between a business and its customers, and lead to substantial costs to put the problem right. The consequences – and fines – can be as severe as if the data breach was your own. 

It’s also a risk that’s increasing, driven by the shift to a remote workforce, expansion of digital supply chains, and adoption of complex technology architecture. Research by the security company Sophos in 2020 found nearly one in 10 ransomware victims said the attack started with a trusted third-party supplier. One year later, Sonatype’s State of the Software Supply Chain report found there had been a 650% increase in supply chain attacks.

And while many businesses are getting on top of their own privacy compliance, there’s still a lack of awareness of their data protection obligations within supply chains.

Some are unsure about what they should be asking suppliers to do. Others struggle with a lack of visibility or do not have the right tools and other resources to properly evaluate the risk posed by their supply chain.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

As always with privacy, there aren’t any quick fixes. But here are five recommendations to ensure your supply chain is putting privacy first. 

1. Do your due diligence

Before entering into a new agreement, do not just assume a third-party vendor takes privacy compliance seriously. Ask them. Before sharing any information, insist that they complete a privacy and security audit to investigate their systems and processes, and identify any vulnerabilities. Do they have strong security measures such as encryption and two-factor authentication? Are they engaging in regular staff privacy training? What’s their data breach response plan, and how do they communicate with the supply chain if an attack occurs? Consider whether you should also do a data protection impact assessment.

2. Put it in the contract

Make sure that you enter into an adequate data processing agreement with each third party processor of personal information. Such agreements should (among other things) state that third parties will only act on your documented instructions, will not contract a sub processor without your prior written approval, and will delete or return all personal data to you at the end of the agreement. Of course, the agreement should also have an obligation that the third party will comply with the GDPR (and UK GDPR if relevant). 

3. Spend time supply chain mapping

You need a clear understanding of your supply chain risk profile and visibility as to how data flows between you and suppliers. The NCSC has a good guide, but typically this would involve a full inventory of suppliers, details about how information flows, what the information is, where it is going and a record of each audit. It’s also a good idea to imagine what a targeted attack on a supply chain could look like. How would you respond? You may spot risks that could be better managed by a change to a process or contract.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

4. Minimise the amount of data shared and who can access it

Information that isn’t shared with a third party, can’t be processed insecurely by that vendor. This principle of data minimisation is your best defence against a data breach occurring at one of your suppliers. Likewise, your employees are unlikely to be able to access information that is not relevant to their job function. Ensure that your third party suppliers similarly limit access to information shared with them. You may want to consider encryption, anonymisation or pseudonymisation before sharing information. 

5. Proactively review your suppliers and agreements

Make sure audits are regularly updated. Review and update data processing and data sharing agreements if necessary to ensure they accurately reflect the processing being carried out, and to assess whether such processing continues to be justified. That’s especially important when it comes to special category data and children’s information. And when an agreement comes to an end, make sure the third-party vendor does what is specified in the contract – whether that’s destroying data or returning it to you. It’s easy for such steps to be overlooked.

Ready to get started? The Privacy Compliance Hub contains all of the necessary template agreements, records, audit questionnaires and training you need. Let us show you how it works.

More to watch and read