The size and frequency of cyber-attacks and data breaches have been increasing in recent years, costing UK businesses big money.
Recent research shows that for mid-market businesses alone, the costs associated with these attacks have reached at least £30bn a year.
Unsurprisingly, most UK businesses are bolstering their own risk mitigation strategies in response.
However, a survey undertaken as part of the government’s National Cyber Security Programme reveals that while businesses are showing a clear desire to protect customer data, trade secrets and intellectual property – particularly following the introduction of GDPR – many fail to appropriately mitigate one major cyber security risk: their third-party suppliers.
The Risk posed by Third-party Suppliers :
While many businesses have developed robust internal risk management strategies – ranging from technological defences to cyber security training – focusing only on internal risk mitigation is not enough.
Most organisations work with a wide range of third-party suppliers and partners, many of which have some degree of access to company data and internal systems. If not managed appropriately, these relationships can expose significant security weaknesses.
Cyber criminals know that the potentially weaker security practices adopted by a business’s third-party suppliers can open a backdoor to sensitive systems and information – making it vital that organisations extend security planning to factor in third-party risk.
Perhaps the most infamous cyber breach caused by a supplier was suffered by Target in 2013. The US retailer eventually had to pay out $18.5m after cyber attackers gained access to its computer gateway using credentials stolen from a third-party supplier – accessing the customer payment card accounts of 41 million customers.
How can Businesses mitigate Cyber Risk?
There are a number of steps that businesses should take to minimise cyber risk at every stage of a supplier relationship.
Reducing the chance of a data breach starts with making third-party security considerations a fundamental part of the procurement process.
Asking suppliers to provide information on their cyber resilience policies – adherence to GPDR, for example – is a great way to start. This makes it far easier to bring in suppliers that meet with recognised standards, such as the ISO 27001 certification for IT security management, or government-endorsed Cyber Essentials accreditation.
Once the procurement process is complete, it is important to comprehensively map who has access to information and plot the flow, exchange and storage of critical organisational data by and with third-parties.
This aids the adoption of appropriate risk mitigation strategies, ranging from firewalling, malware protection and regular software updates, through to listing all users with admin rights and sharing best practice for staff training and health checks.
During the course of a relationship, businesses should continue to hold their vendors to account. There are a number of ways to do this, from asking suppliers to complete self-assessments, through to regular audits and penetration testing of a vendor’s systems. The approach taken will depend on the sensitivity of the data and systems shared.
It is just as important to understand how sensitive data will be handled after a relationship ends. While many businesses will take strong steps to understand how information will be handled during the course of a supplier partnership, it is equally important to establish what actions will be taken to delete or safeguard this data once a partnership has been terminated.
In 2018, ticketing and events business Ticketmaster UK revealed that the personal and payment details of around 5% of its global customer base had been compromised. The source of the data breach was found to be malicious software on a customer support product provided by a third-party supplier to Ticketmaster. Following the breach, Ticketmaster was named in a £5m lawsuit filed on behalf of the company’s affected customers.
Planning for the worst
It is impossible to completely eliminate the chances of a data breach or cyber-attack, either directly or against a supplier. For this reason, it is important to factor third-party risks into a cyber incident response plan. The aim of this plan should be to minimise damage and expenses related to a breach and minimise disaster recovery time. With the chances and potential damaging effects of a cyber-attack or data breach mounting every year, it is increasingly important that businesses build robust third-party data security approaches.