Sharing sensitive data securely

March 2019

Do you ever stop and think about the amount of data circulating around your office? How can you protect your company and manage the vulnerabilities related to this information? Even if you’ve detected the gaps in your own cybersecurity, what about your business partners?

Imagine a scenario. You’ve taken months to analyze your risks and refine your cyberattack response strategy. A few weeks before the launch of a new product, you send the plans to a third party to apply the finishing touches. The next day, you learn that their security system was breached and the plans are now in the hands of your biggest competitor.

This is a real threat that brings to mind an old saying: A chain is only as strong as its weakest link. In this case, your partners and suppliers.

Companies today can rarely operate without outsourcing certain functions, however. And although working with third parties involves risk, you can still reduce your exposure.

Internal measures

If you’ve read our previous posts (here and here), you already know that knowledge is your best defense. The first step in protecting your company is taking inventory of risks and sensitive data.

Take stock of the categories of information that would have a negative impact if they were stolen, modified, inaccessible or disclosed. Look into the security regulations for your field of work and officially appoint someone to be in charge of third-party information security management. If you’re not sure where to start, refer to our cybersecurity summary guide.

Identifying risks

Before working with a new supplier, ask yourself if you’ll need to share anything that exposes you to major risk in the following categories.

  • Reputational risk: Sensitive information is disclosed that damages your image; causes clients, employees or business partners to sever ties with you; or compels you to bulk up your security measures. For example, if personal information is leaked to a social network.
  • Financial risk: A data breach incites your users, clients, employees, etc. to initiate a class action lawsuit against you. You must pay compensation.
  • Compliance risk: As a result of the exploited system vulnerability, your company fails to meet mandatory legal or regulatory requirements. You are fined and/or have your certification or licence revoked.

If you’re concerned about any of these situations, the best defence is to adopt a third-party maturity assessment protocol. That way, the risks you take will be calculated.


One of the most common vulnerability management practices is to screen prospective third-party partners by asking them to complete a multiple-choice systems security questionnaire. The number of questions and their nature should reflect the scope of the security challenges implicit in the subcontractor’s activities.

Ensure that the questionnaire is clear and plan to help suppliers fill it out. This type of self-assessment requires little effort from you, but the answers aren’t always contextualized and results may be imprecise.


Like a questionnaire, an interview can provide a snapshot of the security measures in place and help you evaluate their effectiveness. When you meet with the prospective supplier’s main representative, ask a series of open-ended questions for insight into the company culture.

This approach is more precise, but can be costly, as it requires preparation. Interviews also have to be conducted by someone with the skills to effectively collect and analyze answers.

Certification or audit report

Suppliers will often be certified to demonstrate their reliability and rigour when it comes to information security. There are endless programs to choose from, all with their own specifications.

Although certification is a useful indicator, it shouldn’t replace your own maturity assessment of a company. Certifications have different scopes. You still need to verify prospective partners’ security measures for yourself.

Final evaluation

Whatever method you go with, your assessment protocol needs to answer the following question: Can the third party adequately protect your sensitive data? If not, find another supplier. You could ask the company to increase their security measures, but the process will be long, costly and not necessarily fruitful.

Once you’ve found the right partner, make sure your contract includes a clear and specific security policy clause. Lay out detailed requirements, validation mechanisms and consequences for noncompliance. Without this clause, you have no leverage over suppliers if they don’t fulfil their obligations.

As we said, an effective plan is built on a solid understanding of your vulnerabilities. When dealing with third parties, keep in mind that they can become an attack vector—the weak link in your chain.

The greater the risks you’re exposed to and the more sensitive the information you share, the more rigorous your selection process needs to be. When in doubt, call on a security expert to guide you through the process and prevent nasty surprises down the line.


Follow us on LinkedIn

Our Facebook page