IT Security: Are Your Outsourcing Partners Compliant?

By Jane Jenkins|9 March 2017

Data security is an issue that no business can afford to ignore. Cybercriminals and hackers are smart, organised, persistent and keen to break into any organisation that contains consumer data or commercially sensitive information.

Over the last few years, the security of data has come under threat. Data breaches are more common, as we have seen with attacks on TalkTalk, Sage, Yahoo, eBay and hundreds of other well-known, seemingly secure brands. Attacks on small businesses occur more frequently, but often go unreported. 

Once stolen, confidential data can be used several ways. It is usually sold on the dark web. Criminals profit through identity theft and financial fraud. At the same time, consumers lose confidence in the brand responsible for looking after their data. Smaller organisations also suffer, with financial implications, either through bribery, or when customers withdraw business as a result of the data breach. No one wants to suffer through the stress and extra costs. No one is safe in assuming it won’t happen to them anymore.

How to Safeguard Data

IT managers have multiple considerations when assessing the security framework of their organisation. Internal processes now include many staff that bring their own devices. Software startups, outsourced IT partners, marketing companies, and other vendors - large and small - are all handling your data, which means policies between organisations need reviewing to ensure every connection in the value chain is secure.

Here are a number of ways you can stay safe when handling sensitive data.

#1: Design an IT security policy. Start by mapping out data flows, who handles information and where it goes. Aim to understand what needs encrypting, where there are weak points and what is currently holding your data security together. How much do staff understand? Do they know not to download sensitive information on a laptop or phone without an encryption?

Once you have a clear picture of the internal environment, map out the external.

#2: Review IT partners and vendors’ security. Focus on every partner and vendor that has access to internal systems, or is being given access to sensitive information. For example, cloud-software providers are everywhere in the value chain, from email marketing to document sharing. IT companies can manage websites, email, phones and numerous other services, either internally or through other software vendors. 

Take a look at other suppliers, including marketing agencies and any firm that handles data with commercial value. Read the relevant data policies and ask questions to ensure you are confident that you know how information is transmitted and stored.

#3: Risk assess. With this investigation complete, you can assess what needs to change and how to create an IT security strategy that includes internal and external suppliers and policies.

#4: Create a Data Classification Policy. Most organisations’ need three levels as a minimum:

  • Restricted: Highly sensitive, needs to be controlled and access should be limited to a need-to-know basis.
  • Confidential: Limited access, within a closed group, team or department. This is for moderately sensitive data.
  • Non-sensitive, so no controls are needed and some of the information is probably already online.

With this in place, it will be easier to know what to share with external providers and how much or little security needs putting in place around that data.

#5: Manage an Encryption Process. Knowledgeable IT partners can find the right encryption solution for your business and the data you are storing and sharing. Make sure the relevant staff know how to use it and when to encrypt information. For example: A director wants to upload restricted documents to the cloud to access at home on the weekend. To keep these documents safe, they should be encrypted before uploading to the cloud and downloaded - at home - on a secure VPN. 

At every stage, those handling sensitive information need to understand that security is key, including external IT partners. Only this way can organisations’ avoid the embarrassment and financial costs of a security breach.

If you would like to discuss any of the above, especially if you would like to find out more about how IT service providers protect clients’ data and the security of their IT estate, please get in touch. Call tel:+44 845 643 6060 or email

Further Information

Pushing the start button on Information Governance

Find the answers to your information Governance questions.


Subscribe to our blog notification service

and have our latest blogs emailed directly to you.
It's quick, easy and you can opt out at any time.


Our Partners

phone icon.png

Phone+44(0) 845 643 6060