We looked at the threat to our cyber security from our Internet of Things devices, this week we are continuing the theme of risk and looking at those presented by third parties. Many organisations rely on third parties to help deliver their services, products, and solutions but what risks could be hidden in these relationships?
When looking at industry leaders such as Mandiant and IBM we can see a clear threat prediction of 2023 is the increased target that third party suppliers will face and although this puts a greater responsibility on the third party to protect themselves, your organisation could still be facing threats.
What do we Mean When we Talk About Third Party Risks?
A third party is an external party that helps your organisation to operate, they may be suppliers or sit within your ecosystem. Third parties include vendors, suppliers, partners, service providers. Simply, any organisation that has access to internal company or customer data, systems, processes, or other privileged information.
A risk can be described as the chance of something happening that will have a negative effect. The level of risk reflects: the likelihood of the unwanted event and the potential consequences of the unwanted event.
When we talk about third party risks in the context of cyber security, we are looking at the potential harm that these third parties represent to the integrity of your organisation’s security.
Why is it Important to be Aware of Third-Party Risks?
Some of the largest cyber-attacks that we have seen are a direct result of third parties, third parties often provide one open door to many organisations. These means that an attacker might not be directly attacking your business however they are attacking one to many.
Your organisation may have strong cyber security practises in place however a third party has direct access to your network so if their security is not up to date or carrying the appropriate level of risk than your networks could also be in jeopardy. However, there are ways you can protect yourself from third party risks and
We often use the metaphor of a house; your security is your doors and windows. Third parties hold the spare key to one of these doors or windows, meaning that if they are breached access to your organisation could also be compromised.
Every organisations should be working to ensure both data and system security. Although many organisations do their best to comply with regulations and take extra measures to ensure the protection of their systems, operations, the threat landscape is continually changing which means our approach to security also has to adapt.
What are the consequences of third party threats?
Looking at the City of London attack, a key supplier of trading software to the City of London allowed attacks access to systems. Although this particular attack was isolated and segregated from the entirety of the network, it created disruption to the systems, operations, and functionality, all of which could have been avoided.
Third party attacks or rather attacks as a result of third parties can have a detrimental impact on key sectors functionality and if not handled correctly can see huge consequences.
A good example of these consequences is the NHS attack that occurred as a result of third-party provider Advanced, this attack saw disruption to a number of different NHS operations and in this instance, lives were on the line. It sounds harsh however it is the best way to highlight the important of ensuring that third parties your organisation works with are not going to harm your organisation if an attack did occur.
Every partnership or relationship your organisation enters should be done with security in mind, asking yourself; What is the level of risk? What is the potential consequence or harm?
When outsourcing or relying on third party software, what access are you granting to your systems, how much data do they need to have compared to how much data they have access to. When we ask these questions, we are asking you to look at your own risk appetite and how much of a risk the third party could present.
How can you ensure that your organisation is protected against the risk of third parties?
Firstly, you should establish who your third parties are and what data they have access to.
Organisations should carry out Security Due Diligence before entering a relationship with an organisation, this encompasses all aspects of any due diligence exercise with an added layer of security.
You should carry out a risk assessments, where are potential points of harm and what measures can be taken to mitigate them.
What impact would a breach of the third party have to you, we call this a Data Protection Impact Assessments (DPIA), and you are looking at the impact to the data that you hold as a result of a breach.
Organisations can take defensive measures to ensure that they are protected against third party vulnerabilities these include, Penetration Testing, Staff training and awareness, this helps to ensure that if a breach does occur staff know what they should be looking out for and what measure they should be taking to protected themselves.
As well as carrying out the above organisations should ensure that they have both policies and procedures in place that detail actions staff should take, who is responsible and the relationship between the third party and your organisation, this is where the DPIA that we mentioned above is important.
How Can CyberCrowd Help?
It is no secret that many organisations outsource functions of their services and operations to third parties and as a result it means that these third parties become integral in organisations operations.
It might seem obvious, but the importance is to ensure that you are aware of the risk and can appreciate that third parties are often a vulnerability to your security, and you are therefore taking steps to mitigate against the risk and ensure that you are aware and can protect yourself.
If you are concerned about your organisations security or are looking for guidance on how you can improve, please contact us today.