Updated: Feb 27
As we move further into an age largely dominated by the use of technology, the increased need of having a proper cyber risk protocol becomes even more important. But what do you do if your information is available to vendors or other external companies as part of your normal business operations? Can you rest soundly knowing that they take cyber risk as seriously as you do? Or do you have to wait until something happens and the ramifications cause major harm to your bottom line and reputation?
Here is what you need to know about third-party cyber risk and how to protect your business from this very real threat.
What is Third-Party Cyber Risk?
Before we can discuss how to protect your business against it, it is important to understand what third-party cyber risk actually is. In simple terms, third-party cyber risk is anytime someone outside your organization has access to your data or network. This can be through vendors, software companies, or virtually anyone else in your supply chain. Once they have access, if the information is released or otherwise compromised, this is considered a third-party cyber data or security breach.
For larger companies, who have access to sensitive files can be an incredibly difficult thing to track. Having multiple vendors, with access to your data who may not have cyber risk management protocols, information can easily get into the wrong hands or an event could happen that severely compromises your company’s IT systems. Think of situations where you utilise cloud-based services. What steps are they taking to ensure a breach doesn’t happen? How many people are really getting access to sensitive information? The answer is far too many.
What is the end result for most companies after a third-party data breach? Loss of income, loss of trust with consumers, significant costs of reporting the breach and damage to your reputation and brand. The most difficult part about managing third-party cyber risk is that you don’t know if your vendor is doing what they say they’ll do protect your data and you don’t know who has access to your vendor’s IT network (Fourth party risk).
Why Do Businesses Need to Worry About Third-Party Cyber Risk?
As you can easily see, third-party cyber risk must be considered as a part of doing business today and as part of an overall cyber management plan. In fact, a 2019 September, a Ponemon Institute survey found that 59% of all the major data breaches were caused by third-party vendors and not individual companies themselves. Having a protection mechanism in place and a plan of action before you need it is really the only way to keep damage to minimum should a breach occur.
How do these breaches commonly happen? In some cases, accessibility is critical to doing business. After all, if you’re working with a vendor, you want them to be able to access your data or network and do the job they were hired to do. The problem is that these third parties are often the weakest link and the entry point into your network for cyber-attacks.
The end result is often a major impact on your business, including damage to your reputation, loss of customers, loss of contracts, and—ultimately—a loss of income.
What is the Best Way to Manage Third-Party Cyber Risk?
There are a couple of ways you can manage third-party cyber risk.
As a first step, you can contractually insist that any third-party that has access to your data or IT network meets your cyber risk management standards. This way, you know that at the very least, they have some sort of risk management in place.
A better way to manage third party risk is to use vendors who are ISO27001 Certified, which is the international standard for information security. ISO 27001 certification ensures that your vendors stick to international security standards as they are regularly audited by external parties. ISO 27001 Certification doesn’t guarantee that the vendor won’t suffer a cyber-attack or data breach but it does mean the vendor has the process and procedures to significantly reduce the chances of a data breach and if it does happen, they are ready to respond to it to minimise the disruption and impact on their business and ultimately the impact on your business.
What Does Every Business Need to Know? The Lessons Learned from LandMark White
Of course, to give you further perspective on why mitigating third-party cyber risk is so important, we have to look at a specific case study.
The Landmark White breach took place in 2019 and involved Australia’s largest property valuation firm. Due to a failure by Landmark White to enforce authentication requirements of API connections, a third party had accessed over 100,000 records including property valuations, information of borrowers, lenders, homeowners and property agent data and posted this on the dark web.
This resulted in a major loss of consumer confidence and caused trading on the ASX to halt. $7 million was lost in suspended contracts, Landmark White’s reputation was severely compromised which forced the company to rebrand and rename itself. In rebuilding and restoring trust with its customers, Landmark White adopted the ISO 27001 framework and achieved certification to demonstrate its ongoing commitment to cyber risk management.
It is important to understand that Landmark White was fortunate to have the resources to learn and recover from this breach. Cyber risk management is equally as (if not more) important for smaller businesses because you may not get a second chance, like Landmark White did.
So, Third-Party Cyber Risk is a Real Threat
To put it simply, third-party cyber risk is a real threat no matter how large or small your business is. Nobody is immune and even if you have taken certain steps to keep an incident from happening, it still is a real possibility.