Third-Party Risk Should Be Your First Priority – Your business deals with multiple third-party vendors that include call centres, government agencies, web and e-commerce, outsourced IT services, recycling collectors, building management, and many others. Third-party vendors provide your business with specialised products and services and, in most cases, only increase over time.
The fact is third-party organisations can be one of the highest risks to your business and their ability to defend and deal with cyber-attacks can become your problem.
In the past, third-party suppliers may have been procured by any part of the business with little more than a legal agreement or contract. These organisations may also have simple or intricate connections to your business, or act as a springboard for criminals to commit email-related fraud.
The third-party poster-event of our generation is the well-publicised Target breach where an $18.5 million settlement needed to be paid following a data breach of 41 million customer payment cards that affected 60 million Target customers. The theft was carried out by the stolen credentials of a third-party vendor.
A recent data breach at oil giant Saudi Aramco witnessed 1TB of stolen data make its way to cybercriminals that contained confidential company information and employee profiles. The data was stolen via a third-party security breach at an unnamed contractor.
How can I secure my business from third-party risk?
Larger organisations need holistic programs that can continually manage third-party security risks created by hundreds to thousands of vendors, suppliers, and partners.
Small and Medium organisations should ensure due diligence checks before allowing third parties to connect and interact with their systems. A lightweight risk assessment goes a long way to ask basic security-related questions to third parties that access your systems and data:
- Are you in a shared office?
- Do you have a written network security policy?
- Do you use a VPN?
- Is your network equipment secured?
- What data center providers do you use if any?
- Are employee devices encrypted?
Your company should be aware of your third-party suppliers, vendors, and contractors, the data they use and store, and who has access to it. You should know where your data is being taken and stored, for example, the cloud, their offices, or a local data centre.
You should know if they can apply encryption to your data and simple identity and access management and if they too comply with local privacy laws.
They need to work with cyber-aware staff that receive regular security awareness training and work on devices that require Multifactor Authentication and local encryption.
Managing your third-party risk is an ongoing process and prevention is better than dealing with an incident that could affect you, your staff, and customers. Today it’s no longer a question of if you’ll have a cyber incident, but rather when.