Giant Tiger made the news this month with a security breach related to a third party. The discount retailer used another company to manage customer engagement and communications. Customer data, including contact information and home addresses were compromised, leaving Giant Tiger with the task of contacting customers to warn them of phishing emails and phone calls likely to ensue as a result.
AT&T data has once again found its way to the dark web. This company has been besieged by data breaches affecting millions of customers for the past several years, necessitating changing millions of passcodes and reaching out to clients whose sensitive data has been leaked. AT&T also has stated that some of its breaches may be due to third parties.
How knowledgeable are you about the companies that help you do business? Are you confident other companies will protect your customers’ sensitive data?
The ISO 27002:2022 includes 11 new controls (not in the 2013 standard), some of which deal with securing information in relation to third parties. For example, cloud services and data leakage prevention controls will be important if your data is being used by external personnel or systems. The control for business continuity can mitigate against disruption of services to your clients following a critical event.
People controls are invaluable as well, in helping your business to secure information handled by third-party suppliers and the internal personnel who interact with them.
When these controls aren’t put in place, there is a greater risk of data breaches, which can mean inconvenience to your customers if services are affected, and damage to your reputation if sensitive data is leaked. Your customers count on you to protect their information. You have to be able to count on any party with whom you interact to be just as committed to protecting that data as you are.
A professional audit can weed out the weak links in your internal and external infrastructure. We can help you assess potential issues with third parties before they arise. We can suggest controls to ensure that these parties conform to your clients’ needs for safe interaction with your business. If you’re still operating under the 2013 standard, and you haven’t had a recent assessment, this would be a good time to take advantage of these added controls to prevent issues that are now addressed in the 2022 standard. A little rigorous inquiry now can only build your company’s strength of reputation in your industry going forward.