Almost four out of 10 companies have experienced one or more information security breaches within the past year, according to a survey on data security breaches. The research, carried out by Texas-based M-Files and the Association for Information and Image Management (AIIM), also found that three out of 10 respondents to the survey felt that their organisation is not adequately protecting confidential and sensitive information.

Your weakest link

Weak points highlighted in the survey include:

• unsecured network file folders that leave companies vulnerable to internal information security breaches;
• paper files; and
• data exposed by personal file sharing apps.

But even if you think you have adequate policies and systems in place to keep your data secure, can you be as confident about your suppliers? Small and medium-sized enterprises (SMEs) in the supply chain (including third party service providers) are being increasingly targeted by cyber criminals. With fewer resources to spend on data protection, smaller businesses have become the 'weakest link'.

The cyber attack on US retailer Target in December 2013 was one of the biggest data security breaches ever reported and was caused by malware installed on the company's networks, which stole the payment card data of 40 million customers. But the hackers didn't exploit a weakness in any of Target's systems – they attacked a subcontractor for the retailer, which had access to Target’s network.

How to handle external data risks

So how can companies deal with risks that seem to be beyond their control? Here are five ways companies can minimise risk from third parties:

1. Third parties shouldn't be given unnecessary access to corporate systems. There should be a process to assess how much access a third party needs to a corporate system and this should be kept to a minimum.
2. No one individual should be able to access critical systems or sensitive data. All access should be gained by an approval system involving company managers and colleagues.
3. Companies should take a collaborative approach to cyber security and work with their suppliers and third-party service providers.
4. All devices in the supply chain that require access to another organisation's network should not be trusted.
5. Since many breaches are achieved through social engineering, education and communication is key ensure all employees are aware of dangers and how to recognise and handle a socially-engineered attempt.