Business has become much more digital in the past few decades, and this has enabled a new level of collaboration between business partners, which, in turn, has brought new risks.
Network security tends to focus on keeping people who don’t belong out, but when you invite a third-party onto your network, you are creating a legitimate access point that you have very limited control over.
With data breaches being so potentially costly, especially with new UK GDPR regulations coming into force in 2018, how can you protect your business without impeding a working partnership?
Incorporate security into contractual agreements
Just as you will include clauses to indemnify a party who suffers loss due to the other party’s failure to live up to their end of the contract in a business sense, it is becoming increasingly common to do so with regards to data breaches.
Reciprocal clauses which indemnify a party for breaches that are wholly within the control of the other party are becoming common, and should be included in most digital partnership contracts.
Don’t trust any security system you haven’t seen
While your network security might be regularly audited and have strong endpoint security solutions in place, from a provider such as promisec.com, you have no way to know whether your partner takes security as seriously.
You could seek to perform a security audit on partnering companies to ensure a reasonable level of security before allowing any sensitive data to pass into their control. You could, and probably should, also restrict third-party access only to data and areas of your network which are directly relevant to the joint venture to minimise potential damage.
Expect the same security from third-party logins as from employees
You probably have a fairly rigid password and login policy for your employees, maybe even including two-factor authentication, to keep your network secure. You should apply similar restrictions, at least as rigid if no more so, to third-party logins.
Have a plan for if everything goes wrong
With the GDPR having very stringent notification rules in the event of a breach, you should have a plan in place for if a breach occurs, to keep potential loss to a minimum.
This will include mandatory notifications, but also locking down access to your data, fixing the breach, and then restoring access.