Kordia report shows AI cyberattacks front of mind
AI attacks were cited as a problem by 28 per cent of respondents to the latest Kordia cybersecurity survey.
IMHO: Ensure third parties are safe with your data
Directors should require ISO/IEC 27001-certified partners for customer data handling.
OPINION: In an era where data security breaches are increasingly common, directors must prioritise safeguarding customer information.
Organisations frequently share sensitive data with third-party providers, including mail, email and fulfilment services (warehousing and distribution). These vendors play a crucial role in business operations but also introduce significant security and regulatory compliance risks.
To mitigate these risks, directors should mandate that third-party service providers hold ISO/IEC 27001 certification – the most recognised information security management system certification in New Zealand.
This internationally recognised standard for information security management systems (ISMS) ensures that partners adhere to rigorous security controls, reducing the likelihood of data breaches and regulatory violations.
Customer data is a valuable asset and mishandling it can lead to severe consequences. Mail, email and fulfilment service providers process large volumes of personally identifiable information (PII), including names, addresses and financial data.
Without robust security measures, they become attractive and vulnerable targets for cyberattacks. ISO/IEC 27001 certification ensures that providers implement strong security controls including encryption, access management and risk assessments, significantly reducing breach risks.
Without certification, organisations risk exposing sensitive customer information to providers with inadequate security protocols, increasing the likelihood of a breach. This could result in financial losses, reputational damage, and legal repercussions.
New Zealand organisations must comply with stringent data protection laws, and failure to do so can result in hefty fines and legal liabilities. ISO/IEC 27001 certification aligns with many legislative and regulatory requirements, helping organisations demonstrate due diligence in protecting customer information.
Directors whose organisations engage only with ISO-certified service providers ensure that their partners have the necessary controls in place to meet legal obligations. This proactive approach minimises legal risks and protects the organisation from potential fines and penalties associated with non-compliance.
Customers are increasingly aware of privacy issues and expect businesses to handle their data responsibly. A data breach can erode trust, damage reputation and reduce revenue. By partnering with ISO/IEC 27001-certified providers, organisations reassure customers that their data is managed with the highest security standards.
Additionally, investors and other stakeholders are increasingly concerned about data security risks. Cybersecurity breaches can have long-term financial and reputational consequences. You may have heard the stories. Demonstrating a commitment to high security standards by requiring ISO certification for all third-party data handlers enhances the organisation’s credibility and competitive advantage.
Managing information security risks is complex, and ISO/IEC 27001 provides a structured approach for identifying and mitigating threats. Engaging with certified partners them reduces the burden on internal security teams, streamlining vendor management while maintaining high security standards.
Moreover, certified suppliers must have a robust, independently audited business continuity capability. This ensures resilience in the event of a cyberattack or service disruption.
Cyber threats are constantly evolving, requiring proactive security measures. ISO/IEC 27001 mandates continuous monitoring, regular audits and ongoing improvements in security practices. A “no-breach” track record from a mail, email or fulfilment services provider is not enough. Organisations sharing their customer data should proactively verify that their vendors maintain strong security measures through certification.
In today’s digital environment, data security is not optional. It is a fundamental business requirement. Directors have a responsibility to protect their organisation’s assets, including customer data, from potential threats.
By making ISO certification a mandatory requirement for third-party providers, directors can demonstrate their commitment to information security and position their organisation for long-term success in an increasingly risk-laden business environment.
Your procurement or communications teams should know the certification status of the organisations handling your mail, email and fulfilment processing services. Reviewing their certification status is a crucial step in minimising the risk and consequences of a customer data breach.
Alan Hard is a member of the Institute of Directors and CEO and Chair of Marketing Impact, one of this country’s largest mail, email and fulfilment services providers.
Related content
