Successful businesses can almost never provide excellent services on their own. Behind every company are tens, and in some cases hundreds, of other firms helping to facilitate operations. Consequently, when one cog in the machine falls victim to a cybersecurity attack, this can have a detrimental effect on the other businesses that it works with. Suppliers, manufacturers, service providers, software vendors, distributors, resellers and agents are just a few examples of the wide variety of business partners that can contribute to third-party risk.
“Security teams often dismiss third parties as a primary concern but they should keep in mind all those who have physical or digital access to their sensitive information, those who visit their premises or those who conduct off-site work on their behalf,” says Pamela Velentzas, vice president of marketing at Fortra's Terranova Security.
The risks associated with third parties can be split into six categories including: cybersecurity, where attackers infiltrate the business via the supply chain to target sensitive information; compliance, which covers the legal penalties organisations face when their third-party vendors fail to comply with laws and regulations such as GDPR; and financial, which cover the financial implications that are caused by system-level vulnerabilities impacting a firm’s ability to provide services. The financial risk comes in the form of ransom from the attacker or a loss of revenue due to a system being down for long periods of time.
Meanwhile, some third-party risks impact business operations or reputations, which can be identified as the fourth and fifth risk categories. For example, one vendor’s systems may go down due to a cyberattack and this has the potential to impact the reputation of all businesses within their supply chain. The sixth risk that third parties pose to organisations is when their strategies do not align with one another, leading to failed ventures and further security risks caused by a loss of business growth.
While many organisations implement technical guardrails, such as firewalls or email security solutions, to protect their data, these technologies are not enough to manage third-party risk, according to Velentzas. Instead, they should implement security awareness training to combat the human error that is responsible for over 80 per cent of cyberattacks, according to Harvard Business Review.
“To ensure the information that organisations share remains safe and confidential, all business partners need to have the same level of security awareness,” she says. “Security awareness is key to becoming more responsible and secure in the digital world. Organisation-wide training is a critical component of a global information security plan because it allows firms to maintain compliance, remain operational, reduce expenses associated with security incidents, clarify security responsibilities, maintain credibility and reduce risk.”
Security awareness training should be the same for direct, permanent employees who work within a primary organisation as well as those working for third parties to ensure they all follow safe online behaviours when they are handling sensitive information. This could include freelancers, consultants, interim workers, temporary staff or special service providers who work for companies either on premises or off-site.
“Firms may want to offer data security tips to their clients as an added value,” says Velentzas. “A good example of this would be a bank offering suggestions to help protect clients from fraud and theft. This also would help to reduce the number of incidents the bank has to process. In many situations, professors and students have access to a university’s systems or research that must remain protected, and therefore faculty, staff and students are all required to take security awareness training.”
In addition, providing all people working for an organisation both directly and indirectly with the same security awareness training makes it easier to ensure regulatory compliance. For instance, organisations serving European Union consumers must comply with General Data Protection Regulation standards whilst those working in California, USA, must comply with the Consumer Privacy Rights Act. If a third party fails to comply with these regulations, it may negatively impact a firm’s cybersecurity compliance status.
Fortra’s Terranova Security encourages organisations to invest in cybersecurity training that is engaging and tailored towards individuals and their role. “The most successful security awareness programmes are relevant to the people taking the training and specific to their function in the wider business,” says Velentzas. “Training also needs to be engaging, interactive and fun, delivered in segments that are not too long as well as being tailored to their learning capacity and motivation level.”
As no organisation has the same supply chain framework, there is no one-size-fits-all formula to follow. Instead, firms should evaluate the risk posed by their own third parties, whilst continuously monitoring for potential security threats, planning incident responses, reviewing and negotiating third-party contracts and cyber insurance.
This article was originally published in the Summer 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription