Technology Record - Issue 29: Summer 2023

78 Successful businesses can almost never provide excellent services on their own. Behind every company are tens, and in some cases hundreds, of other firms helping to facilitate operations. Consequently, when one cog in the machine falls victim to a cybersecurity attack, this can have a detrimental effect on the other businesses that it works with. Suppliers, manufacturers, service providers, software vendors, distributors, resellers and agents are just a few examples of the wide variety of business partners that can contribute to third-party risk. “Security teams often dismiss third parties as a primary concern but they should keep in mind all those who have physical or digital access to their sensitive information, those who visit their premises or those who conduct off-site work on their behalf,” says Pamela Velentzas, vice president of marketing at Fortra's Terranova Security. The risks associated with third parties can be split into six categories including: cybersecurity, where attackers infiltrate the business via the supply chain to target sensitive information; compliance, which covers the legal penalties organisations face when their third-party vendors fail to comply with laws and regulations such as GDPR; and financial, which cover the financial implications that are caused by system-level vulnerabilities impacting a firm’s ability to provide services. The financial risk comes in the form of ransom from the attacker or a loss of revenue due to a system being down for long periods of time. Meanwhile, some third-party risks impact business operations or reputations, which can be identified as the fourth and fifth risk categories. For example, one vendor’s systems may go down due to a cyberattack and this has the potential to impact the reputation of all businesses within their supply chain. The sixth risk that third parties pose to organisations is when their strategies do not align with one another, leading to failed ventures and further security risks caused by a loss of business growth. While many organisations implement technical guardrails, such as firewalls or email security solutions, to protect their data, these technologies are not enough to manage thirdparty risk, according to Velentzas. Instead, they should implement security awareness training to combat the human error that is responsible for over 80 per cent of cyberattacks, according to Harvard Business Review. “To ensure the information that organisations share remains safe and confidential, all business partners need to have the same level of security awareness,” she says. “Security awareness is key to becoming more responsible and secure in the digital world. Organisation-wide training is a critical component of a global information security plan because it allows firms to maintain compliance, remain operational, reduce BY ALICE CHAMBERS Businesses should invest in risk management and security awareness training to avoid the repercussions of cyberattacks on third parties, according to Pamela Velentzas of Fortra’s Terranova Security The domino effect of third-party risk INTERVIEW “ Security awareness is key to becoming more responsible and secure in the digital world” Image: iStock/Nuthawut Somsuk