Is your supply chain your biggest threat?

Is your supply chain your biggest threat?

What do you do when your cloud service provider loses your data? 

There’s been the usual roll call of big-name data breaches in 2020, Easyjet, Marriott, and of course Twitter and Zoom all suffered at the hands of Cyber Attackers. But one of the most significant for small businesses and particularly charities was Blackbaud, the cloud vendor of Raiser’s Edge. A service used by hundreds of UK charities to manage their fundraising activities. This one breach put at risk the data held by at least 125 organisations, including the National Trust, Sue Ryder and dozens of Universities.

Cloud service providers are not only vulnerable to cyber-attack, they are extremely attractive to cyber criminals. They host huge amounts of data and their business model requires constant availability.  Blackbaud, a US company, actually paid the ransom demanded of it by the cyber criminals. Attacks like this are extremely frustrating for the leaders of small businesses and charities, who are seeking to reduce the need for in-house IT and cyber support and move IT services and therefore security increasingly into the cloud.

When you are considering moving services into the cloud, or moving between providers what should you consider?

1. Firstly, ensure that your service provider has got ISO27000 series accreditation for their information security arrangements. While this definitely does not mean they are invulnerable, it at least demonstrates commitment and investment on their part and an acceptable level of security.
2. Secondly, review the security measures that your provider has in place and make sure that you are happy that these meet your needs. Even if you are on standard terms and conditions, your supplier should be able to tell you who has access to your data, how is it being secured, where can it be stored, and how is it being backed up? 
3. Thirdly, assume the worst – what if your data was lost or potentially compromised? Do you know what this organisation is holding on your behalf? Do you have a process to follow in the event of their reporting a data breach to you? Do you know how to decide if you need to inform your customers, and the ICO? 

Leverage all the work you have done around GDPR. It could probably use dusting off anyway. Some simple preparation can ensure that you don’t get caught out by a cyber attack outside your organisation.

Our Business Technology Consulting team work with our clients to manage technology risks within their businesses and across their supply chains.

If you require advice on your key technology and digital risks, or an in-depth assessment of your cyber security, speak to a member of our Business Technology Consulting team today or your usual Azets contact.