In July 2024, 33 million phone numbers held by Twilio, a US customer engagement platform, were compromised following a breach of the company’s third-party app, Authy. The hacking collective, Shinyhunters, claimed responsibility.

This was the latest in a seemingly never-ending list of significant data breaches. Others include attacks against the NHS in Dumfries and Galloway, and London, as well as against the MoD where the details of more than 270k service personnel were compromised.

Among other lessons, these examples show why it’s vital that you know and trust your supply chain.

Third party vendors help you operate efficiently and conduct your business. However, a supply chain has hazards that every risk manager must identify and mitigate.

Risks to data, like those above, happen every day. Suppliers may have access to your sensitive data, personally identifiable information (PII) or systems. Any weakness in their security puts your information at risk.

Similarly, legislative changes can affect how you operate and what you need your suppliers to do. If they don’t comply with change, they can leave you open to legal and financial consequences, or even create vulnerabilities in your security systems and processes.

Now that the UK has a new, proactive government it’s essential to be aware of new legislation and guidelines that could affect you and your suppliers.

Slip ups in a supply chain can lead to dramatic failure. When the cargo ship Evergreen blocked the Suez Canal in 2021, 12% of world trade was held up. It might be an extreme example, but remember that any delay in your supply chain could undermine customers’ trust in you and endanger your reputation.

Here are some tips to help you mitigate risk:

Criticality – A contract’s value does not indicate its importance. ‘Smaller’ suppliers might provide a niche component or vital piece of software. Map your business process and understand dependencies.
Due diligence – When selecting a supplier, check their certification, reputation and practices.
Contracts – Set up a through-life contract stipulating exactly what’s required. This should cover how data is handled, confidentiality, service level agreements, recovery time objectives, conflict resolution and how to get data back at contract’s end.
Compliance – Assess the security of your suppliers. Do they meet standards such as ISO27001?
Monitor – Establish how you will monitor service levels, for example through metrics, open communication, regular review, or a risk management platform.
Fail to plan, plan to fail – Include suppliers in your business continuity testing.

Although suppliers are essential to success it’s equally important to understand the risks you face and implement risk management strategies that protect your business and its data.