Why you should care about who can access your IT system

Hilary Walton explains why it’s important for every size business, even SMBs, to include cybersecurity in their third-party risk management.

Imagine your business falling victim to a cyberattacker coming in through the air-conditioning.

Sound crazy? That’s what happened to Target back in 2014, costing the American retailer a cool US$18 million. To penetrate their IT system attackers stole network credentials from Target’s third-party vendor that subcontracted heating and air conditioning for several locations around the country.

Closer to date, email marketing giant Mailchimp had a data breach recently through which hackers successfully exported audience data from 102 accounts. They even managed to gain access to API keys from some of these accounts and send phishing campaigns to their contacts.

These incidents are a harsh reminder of the necessity for third-party risk management. Today, our reliance on information technology systems and data exchange means we have more to lose and it’s highly advisable for every organisation to include cybersecurity in third-party risk management. This extends to the small to medium companies which overwhelmingly comprise the New Zealand business environment.

The good news is that doing so isn’t difficult and it delivers benefits to both your business and related third parties.

What is third-party risk and why should you care?

The formal definition of third-party risk is pretty dry: An institution’s management is ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution.

In daily operational terms, this means you need to be aware of the integrity, reliability and dependability of your suppliers and other partners.

When it comes to cybersecurity risk, it’s fair to say management at most small to medium businesses have an inwards-looking approach. When boards and managers consider cybersecurity measures, it isn’t generally looked at from a ‘supply chain’ or ‘value chain’ perspective. Instead, most seek to minimise the impact by seeking insurance for potential losses from data breaches or hacks.

However, they’re doing so at their own peril because if you haven’t put in place appropriate risk mitigation measures, you’re not getting the cover. Just like a burglary claim might go unpaid because the front door was left open, insurers want assurances around information around security posture, incident management processes, and indeed if and how third-party risk is assessed.

This is probably the biggest and most readily available cue on how to approach third-party cyber risk. After all, insurers have money at stake and risk management is their game. Your first steps are therefore quite simple: follow the requirements of your insurer. Demonstrating compliance with their risk mitigation strategies puts you on a firm footing.

Take appropriate steps to implement your risk mitigation measures

When looking at your own systems, equipment, people and processes, cyber risk management is relatively easy as everything is under your direct control. But the nature of business today is that as you develop relationships with your partners, the boundaries quickly move beyond your own four walls. Systems are routinely integrated, and data is exchanged automatically. That’s how digital transformation happens, bringing with it advantages of efficiency and business acceleration, but increasing the attack surface. Even seemingly benign things like waybills, invoices and so on can and are used by hackers in their efforts to breach your defences.

The first step towards managing third party risk, therefore, is an assessment of your own business. Ultimately, you’ll be approaching your partners and suppliers and asking them for information on their security posture and the data protection measures they have in place. Preparing a document outlining your own measures, posture, and policies, and having it ready to hand over demonstrates good faith and obvious commitment to the exercise. It’s also a clear example of just what it is you’re after.

Secondly, triage your suppliers and partners into those which present the highest risk, then medium, then low risk. You don’t want to boil the ocean, and even small businesses have long lists of suppliers covering IT, marketing, legal, and so on. Focus efforts on those presenting the highest risk, perhaps applying the Pareto Principle (the 80/20 rule) along with a reasoned assessment of why each organisation presents any particular level of risk.

Interdependencies are important and should be seen in context. Those which include data interchange, for example, are clearly higher risk and mapping those dependencies can be instructive. If one of your suppliers is a cloud service provider, the third-party risk might be substantial because a hacker targeting that provider could gain access to potentially hundreds of targets, your business among them.

Get comfortable with the product and services provided and understand how they are secured. Ask if they have an information security management system, incident response, if staff are vetted, how they handle your data at rest and in transit, and if they have a security department. Gauge how seriously security is taken, and how comfortable they might be in contacting you should the worst happen.

Lastly, get access to the right tools. Managing risk is made more difficult if the only available tools are a spreadsheet and a piece of paper. Consider a commercially available dashboarding system which not only guides the risk management process, but also documents and automates it, with regular scheduling of risk reviews. And whenever entering a new supplier or customer relationship, consider including cyber risk assessment as a standard component of the onboarding process.

Remember, cybersecurity is a little like vaccination. The more everyone does it, the safer the entire environment becomes for all.

When principals and third parties work together – starting with heightened awareness and being a good example by handing over your own security protocol and posture – the general business environment is hardened against cyberattacks. And you’ll get the insurance you need, no problem.

Hilary Walton (pictured) is CISO at Kordia.