• About Us
  • Advertise with Us
  • Contact Us
  • Events
  • Newsletter
  • Podcasts
  • Digital Magazine
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
  • About Us
  • Advertise with Us
  • Contact Us
  • Events
  • Newsletter
  • Podcasts
  • Digital Magazine
NZBusiness Magazine

Type and hit Enter to search

Linkedin Facebook Instagram Youtube
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
NZBusiness Magazine
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
Technology

Why you should care about who can access your IT system

Hilary Walton explains why it’s important for every size business, even SMBs, to include cybersecurity in their third-party risk management. Imagine your business falling victim to a cyberattacker coming in […]

Glenn Baker
Glenn Baker
April 26, 2022 4 Mins Read
598

Hilary Walton explains why it’s important for every size business, even SMBs, to include cybersecurity in their third-party risk management.

Imagine your business falling victim to a cyberattacker coming in through the air-conditioning.

Sound crazy? That’s what happened to Target back in 2014, costing the American retailer a cool US$18 million. To penetrate their IT system attackers stole network credentials from Target’s third-party vendor that subcontracted heating and air conditioning for several locations around the country.

Closer to date, email marketing giant Mailchimp had a data breach recently through which hackers successfully exported audience data from 102 accounts. They even managed to gain access to API keys from some of these accounts and send phishing campaigns to their contacts.

These incidents are a harsh reminder of the necessity for third-party risk management. Today, our reliance on information technology systems and data exchange means we have more to lose and it’s highly advisable for every organisation to include cybersecurity in third-party risk management. This extends to the small to medium companies which overwhelmingly comprise the New Zealand business environment.

The good news is that doing so isn’t difficult and it delivers benefits to both your business and related third parties.

 

What is third-party risk and why should you care?

The formal definition of third-party risk is pretty dry: An institution’s management is ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution.

In daily operational terms, this means you need to be aware of the integrity, reliability and dependability of your suppliers and other partners.

When it comes to cybersecurity risk, it’s fair to say management at most small to medium businesses have an inwards-looking approach. When boards and managers consider cybersecurity measures, it isn’t generally looked at from a ‘supply chain’ or ‘value chain’ perspective. Instead, most seek to minimise the impact by seeking insurance for potential losses from data breaches or hacks.

However, they’re doing so at their own peril because if you haven’t put in place appropriate risk mitigation measures, you’re not getting the cover. Just like a burglary claim might go unpaid because the front door was left open, insurers want assurances around information around security posture, incident management processes, and indeed if and how third-party risk is assessed.

This is probably the biggest and most readily available cue on how to approach third-party cyber risk. After all, insurers have money at stake and risk management is their game. Your first steps are therefore quite simple: follow the requirements of your insurer. Demonstrating compliance with their risk mitigation strategies puts you on a firm footing.

 

Take appropriate steps to implement your risk mitigation measures

When looking at your own systems, equipment, people and processes, cyber risk management is relatively easy as everything is under your direct control. But the nature of business today is that as you develop relationships with your partners, the boundaries quickly move beyond your own four walls. Systems are routinely integrated, and data is exchanged automatically. That’s how digital transformation happens, bringing with it advantages of efficiency and business acceleration, but increasing the attack surface. Even seemingly benign things like waybills, invoices and so on can and are used by hackers in their efforts to breach your defences.

The first step towards managing third party risk, therefore, is an assessment of your own business. Ultimately, you’ll be approaching your partners and suppliers and asking them for information on their security posture and the data protection measures they have in place. Preparing a document outlining your own measures, posture, and policies, and having it ready to hand over demonstrates good faith and obvious commitment to the exercise. It’s also a clear example of just what it is you’re after.

Secondly, triage your suppliers and partners into those which present the highest risk, then medium, then low risk. You don’t want to boil the ocean, and even small businesses have long lists of suppliers covering IT, marketing, legal, and so on. Focus efforts on those presenting the highest risk, perhaps applying the Pareto Principle (the 80/20 rule) along with a reasoned assessment of why each organisation presents any particular level of risk.

Interdependencies are important and should be seen in context. Those which include data interchange, for example, are clearly higher risk and mapping those dependencies can be instructive. If one of your suppliers is a cloud service provider, the third-party risk might be substantial because a hacker targeting that provider could gain access to potentially hundreds of targets, your business among them.

Get comfortable with the product and services provided and understand how they are secured. Ask if they have an information security management system, incident response, if staff are vetted, how they handle your data at rest and in transit, and if they have a security department. Gauge how seriously security is taken, and how comfortable they might be in contacting you should the worst happen.

Lastly, get access to the right tools. Managing risk is made more difficult if the only available tools are a spreadsheet and a piece of paper. Consider a commercially available dashboarding system which not only guides the risk management process, but also documents and automates it, with regular scheduling of risk reviews. And whenever entering a new supplier or customer relationship, consider including cyber risk assessment as a standard component of the onboarding process.

Remember, cybersecurity is a little like vaccination. The more everyone does it, the safer the entire environment becomes for all.

When principals and third parties work together – starting with heightened awareness and being a good example by handing over your own security protocol and posture – the general business environment is hardened against cyberattacks. And you’ll get the insurance you need, no problem.

Hilary Walton (pictured) is CISO at Kordia.

Share Article

Glenn Baker
Follow Me Written By

Glenn Baker

Glenn is a professional writer/editor with 50-plus years’ experience across radio, television and magazine publishing.

Other Articles

Fang & Fur Caroline and Suzi Q 2
Previous

Slow and steady wins the business

Computer Recycling Managing Director, Patrick Moynahan, and Minister for the Environment, Hon David Parker with the MSS Optical Sorter machine sml
Next

State-of-the-art technology targets e-waste in landfills

Next
Computer Recycling Managing Director, Patrick Moynahan, and Minister for the Environment, Hon David Parker with the MSS Optical Sorter machine sml
April 26, 2022

State-of-the-art technology targets e-waste in landfills

Previous
April 26, 2022

Slow and steady wins the business

Fang & Fur Caroline and Suzi Q 2

Subscribe to our newsletter

NZBusiness Digital Issue – March 2025

READ MORE

The Latest

From redundancy to resilience

May 16, 2025

Episode 16: Bryce Marsden on sustainable impact through education, youth and environment

May 15, 2025

The high cost of leadership neglect

May 14, 2025

Why making Auckland a Tech Hub makes sense

May 14, 2025

Is AI making us happier? Why some Kiwi leaders would trade coffee for Generative AI

May 13, 2025

Step back to move forward – how Kiwi business owners can unlock growth

May 12, 2025

Most Popular

NZBusiness Digital Issue – June 2024
Understanding AI
Navigating economic headwinds: Insights for SME owners
How much AI data is generated every 60 seconds? New report reveals global AI use
Nourishing success: Sam Bridgewater on his entrepreneurship journey with The Pure Food Co

Related Posts

Why making Auckland a Tech Hub makes sense

May 14, 2025

Is AI making us happier? Why some Kiwi leaders would trade coffee for Generative AI

May 13, 2025

Samsung CSP: Leading the way in tech repairs across New Zealand

May 12, 2025

Cyber security in 2025: A guide on how to protect your business

April 22, 2025
NZBusiness Magazine

New Zealand’s leading source for business news, training guides and opinion from small businesses to multi-national corporations.

© Pure 360 Limited.
All Rights Reserved.

Quick Links

  • Advertise with us
  • Magazine issues
  • About us
  • Contact us
  • Privacy policy
  • Sitemap

Categories

  • News
  • Entrepreneurship
  • Growth
  • Finance
  • Education & Development
  • Marketing
  • Technology
  • Sustainability

Follow Us

LinkedIn
Facebook
Instagram
YouTube
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability