1. You are here:
  2. Homepage
  3. Resource search
  4. Cyber security protection questions to ask your provider
17 Jun 2026

Cyber security protection questions to ask your provider

Cyberattacks such as malware attacks, phishing emails and data breaches. are very much a modern world problem that employers need to stay on top of.

Tusker_Main.jpg 25

 

Rarely a week goes by without the media reporting on a well-known brand or organisation falling victim to an attack or being subject to a serious attempt.

In March, Stryker Medical Products, which provides medical equipment to the NHS, fell victim to a cyberattack which resulted in global network disruption to its IT systems - significantly impacting business operations and NHS supplies.

And in May, Canvas software was hacked, affecting thousands of students, universities and institutions across the world. This is a particularly unusual case because, contrary to government advice, the software company paid the hackers to delete the stolen data.  

With the UK experiencing four ‘nationally significant’ cyberattacks every week according to the National Cyber Security Centre (NCSC), it’s no wonder that businesses and their clients are becoming increasingly concerned about cyber security. For employers considering working with third parties and providers, data security and protection is a top priority.

Data protection for peace of mind

Employers are really digging into the technical complexities around data storage and utilising the expertise of their in-house technical advisors to speak with third-party providers like Tusker. It’s no longer a tick-box exercise: employers want to know the ins and outs of data security and protection policies to reassure themselves that data is stored safely.

As part of Lloyds Banking Group, Tusker takes data security and privacy extremely seriously. Tusker is one of the only providers accredited with both ISO 27001 and Cyber Essentials Plus. ISO 27001 is the highest international standard for information security management systems (ISMS) and guarantees there are robust frameworks in place to protect data and manage risks.

Cyber Essentials, a government-backed scheme developed by the National Cyber Security Centre (NCSC), utilises several technical controls which help prevent common cyberattacks. Cyber Essentials Plus, meanwhile, the advanced accreditation adopted by Tusker, provides another layer of protection which includes rigorous penetration testing from external assessors to ensure systems can withstand cyberattacks.  

Employers need to have peace of mind that providers are taking data security and protection seriously. This should include encrypting data, complying rigorously with GDPR and having documented retention policies.

It’s also important to recognise that human error is responsible for many data breaches: an employee may be ‘taken in’ by a phishing email for example, or forget to follow security procedures. This is why regular training around data protections and security is also important.

Questions to ask providers

So, what questions should employers be asking providers?

  • Can you provide copies of your data security and compliance certifications? (for example: ISO 27001, Cyber Essentials, Cyber Essentials Plus)
  • Can you provide copies of your privacy policy?
  • Do you encrypt data at rest and in transit?
  • What encryption protocols do you use in email communications? Alternatively: How do you ensure the security and privacy of data sent by email?
  • Do you have multi-factor authentication?
  • Is your data retention in line with GDPR? (How long do you keep information for?)
  • How do you monitor changes in the industry to keep up to date with evolving compliance (such as GDPR)?
  • In the event of a breach, what is your specific notification timeline and protocol for affected clients?
  • What regular data protection and cyber-security awareness training do your employees undergo?
  • What policies can you provide to show your disaster business continuity and recovery plans?
  • What are your plans for the next 12 to 24 months for increasing data security compliance?

Crucially, providers should provide documentary evidence of policies and accreditations. An inability to provide evidence of any accreditations or appearing unwilling to do so is a red flag.

Verbal assurances of certification should never therefore be taken at face value: ask for the evidence.

Business-wide priority

Data security is no longer a concern limited to IT and those with technical roles: it’s a business-wide priority. With cyber threats continuing to evolve, employers need to ensure third-party providers they are working with have the right protections in place. 

Knowing what to look for and asking the right questions will ensure employers partner with providers who have a transparent and demonstrable commitment to security and data protection.

Related topics

Data & analytics Technology & data Future predictions Consulting, brokers and advisors Travel & transport

Supplied by REBA Associate Member, Tusker

Tusker is the UK’s leader in salary sacrifice cars. Part of Lloyds Banking Group, it has more than 15 years’ experience in offering an affordable way for employees to drive a new, fully insured, and maintained car. Its scheme, which is available to over 1.8 million UK employees, offers a range of options, from pure electric cars to hybrids and even traditional petrol and diesel vehicles. It provides a tailored scheme for organisations’ individual needs.

Contact us today

Return to listing

You may also be interested in

Benifex_LP.jpg 15
09 Jun 2026

5 reward and benefits trends shaping HR strategy in 2026  

From AI disruption to rising expectations around pay transparency, the role of reward is becoming increasingly strategic. And amongst all this change, HR leaders are under mounting pressure to demonstrate business impact and ROI on benefits investment.