Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
The modern business landscape means that organisations are more interconnected than ever before, relying on third-party vendors for a wide range of services. Just think of outsourced IT support or cloud computing, customer service, payment providers, delivery partners, development resources, etc. However, this reliance on third parties also introduces a risks to your cyber security and data protection that must be carefully managed.
Without management of these risks, a data breach at a third-party vendor can have a devastating impact to you. It can lead to the loss of sensitive data, financial losses and damage to your reputation. That's why it's so important to conduct thorough cyber security and data protection due diligence on any third-party vendor before you do business with them.
Supplier due diligence is the process of gathering information to understand the credibility and suitability of a prospective partner or vendor. It aims to assess their security posture to identify any potential risks.
Performing checks is a standard approach to nearly all facets in life, e.g. family, work, education et al, so supplier due diligence should not be foreign concept. Conducting supplier due diligence can help guide decision-making when choosing the right vendor, detect risks with potential suppliers and protect customer data in the process. It's also considered good business practice and can help mitigate future financial and reputational damage caused by a data breach.
We live in a world where your business security could be theoretically perfect, and yet your data is still exposed. How? Through a supplier. Interconnected services and data sharing means that their risks are your risks, and vice versa.
The risks of not conducting supplier due diligence are significant. If a third-party vendor is breached, your organisation could be exposed to a number of risks, including:
Every business must surely have noticed the increasing importance being placed on supply chain security. The extra time spent filling in supplier due diligence questionnaires can’t have gone unnoticed, and it’s a key driver behind the increased ISO 27001 adoption. Though it might mean you spend more time on these activities, the reasons behind them are good: it means everyone’s assessing the risks and, I’d hope, taking steps to address them. In short, the whole supply chain is levelling up together.
MOVEit, a popular file transfer software, was exploited by hackers which impacted the security of hundreds of companies world-wide, exposing the data of hundreds of thousands of people. Hackers exploited a zero-day SQL exploit, and the severity of data the cyber criminals potentially have access to is notable: bank details, identification data and contact information, among much more.
The attacks follow a pattern of targeting key services within an organisation’s supply chain. For example, British Airways weren’t themselves attacked, but their customer data was still leaked thanks to a provider of theirs using MOVEit.
It’s essential that the risks posed by your partners and providers is identified, codified, managed and mitigated. Be proactive and positive, but also make sure you get the assurance you need: ask to see evidence of recent penetration tests from a reputable pen test provider, and likewise for ISO 27001. If you identify a supplier as being high-risk, then don’t be afraid to insist on your own audits. Your partner will understand – afterall, they might make the same requests of you!
Many organisations can easily fall into the trap of neglecting the data protection side of the procurement process due to a lack of due diligence. Whilst ‘cyber security’ takes more of the headlines, data protection has its own regulations and requirements that cannot be ignored. Article 28 of the GDPR states that a data controller must only use a data processor that can provide “sufficient guarantees” (particularly in terms of its expertise, resources and reliability) to comply with the UK GDPR and protect the rights of individuals.
Onboarding vendors to process your customers' or employees' data is implicitly stating that you trust them to process your personal data. This must be agreed upon by both parties by signing a Data Processing Agreement (DPA), which we talked more about in this blog.
It's recommended and best practice for supplier due diligence to be an ongoing process with data controllers reviewing a processor's compliance on a continual basis. Effective and regular due diligence can help safeguard a company from risks to its functionality, reputation, and finances.
Having a clear understanding of the vendor's business operations and how they interact with your organisation will help you to identify the specific risks that they pose. For example, if a vendor is providing cloud computing services, you will need to understand how they store and protect your data – asking for evidence of regular penetration testing and log monitoring or SIEM would be appropriate here. If they’ll process personal data, then asking about their GDPR policies and procedures, DPIAs and DPAs is relevant. And if these acronyms are a mystery to you, no need to worry – just reach out to a data protection officer for a helping hand.
The supplier due diligence process can be broken down into the following steps:
This information can be gathered through a variety of sources, including:
The need to assess the vendor's compliance with industry regulations and best practices is important because this will help you to ensure that they are taking the necessary steps to protect your data. For example, if a vendor is required to comply with the Payment Card Industry Data Security Standard (PCI DSS), you will need to verify that they are in compliance.
The importance of having a strong contract in place that outlines the vendor's security obligations is that this will give you legal recourse if they fail to meet their obligations. For example, your contract should specify the vendor's responsibility for data breaches and the steps they will take to notify you if a breach occurs.
Even after you have conducted due diligence on a third-party vendor, it is important to continue to monitor their security posture on an ongoing basis. This is because the security landscape is constantly changing, and a vendor that was considered to be secure today could be breached tomorrow.
Frameworks like ISO 27001 are a useful way to get you thinking in terms of risk, both within your organisation and from your suppliers. If you’re struggling, Bulletproof has a team of friendly, experienced information security consultants who can help. As a headline guide, here is an outline supplier due diligence checklist for cyber security and compliance:
Supplier due diligence is an essential process when seeking new vendors as it allows organisations to make an informed decision on whether to proceed with a business partnership and should form part of business compliance strategies Only by identifying and mitigating the risks posed by third-party vendors can you prevent a data breach.
As one of our more experienced data protection officers, Rebecca knows data protection inside and out. Her favourite topics to write about include UK & EU GDPR, DPO activities and the often-overlooked PECR regulations.
Get started with a cost-effective, practical, and effective security strategy by using ISO 27001 to asses your real risks.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.