Thought leadership. threat analysis, news and alerts.
Third-party Risks: A New Frontier and a Major Concern for Businesses
Outsourcing to third parties helps businesses free up time and resources, both of which can be channelled back into core business tasks.
But whether the third party provides accounting, marketing, IT support, HR/Payroll, customer service and support, or any other service, working with them carries an inherent element of risk. After all, these companies have access to sensitive data — contact details for employees and customers, payment information, login details for essential software and tools, and at times to company’s intellectual property.
And a cybersecurity breach could cause this data to fall into the hands of criminals. While most companies are well aware of this danger, too many fail to take action: 77 percent of Canadian small businesses are concerned about being hit by a cyber-attack, but 36 percent choose not to invest in effective security.
That’s a huge oversight. But it’s understandable that small businesses using third-party services for the first time overlook the need for caution when choosing a provider. Third-party risk is something of a new frontier, and technology continues to advance faster than non-experts can keep up with.
This creates a disconnect between businesses and the services they are paying for. As a result, a huge amount of trust is required, and third parties have to be transparent about how they use client data, their security measures, policies and procedures, and more.
In short: due diligence is critical when working with third parties, but what steps can businesses take to mitigate their risk?
Focus on Experienced Vendors and Don’t Cut Corners
Small and medium businesses might be tempted to go with the cheapest third-party service provider in their area. Money can be tight during the early years of building a brand, and usually for some time beyond, too.
But businesses can’t afford to cut corners when choosing vendors responsible for key services and with access to sensitive data.
Always take the time to do your due diligence and find a vendor with provable experience working with companies like your own. They should have a portfolio of satisfied clients they can discuss and be happy to provide references. Even if one of their past clients is in a different industry to your own, a positive experience should give real peace of mind and lend the vendor credibility.
Check for attestations and certifications from leading security brands on the vendor’s website. These are an excellent trust signal, and indicate the team takes its security seriously. Awards from leading publications or organizations reinforce a vendor’s credibility, too.
Make sure to look the vendor up online and search for reviews. And if negative feedback is in short supply, remember that bad reviews may not be genuine. The service provider might be willing to discuss them and share some insight into why they aren’t to be trusted.
Speak to other business-owners and try to find recommendations for reliable third parties in your area. While price is obviously a major factor in your decision, don’t compromise too much just to save a few dollars.
Check their Program for Security Risk Assessments
Take steps to determine the vendor’s approach to security risk assessments, and how regularly they conduct them.
Beware of any team which can’t tell you when they last reviewed their security set-up or what steps they would take if they discovered a data breach. They should be well aware of all potential risks, which measures are necessary to prevent them, and how to communicate these to you in a language you understand.
Reliable vendors will take immediate action to fill any gaps they notice in their cybersecurity posture during assessments. They need to know which cybersecurity attacks their system is particularly vulnerable to, and how a successful attack would disrupt their services.
It’s also vital to find out what a vendor’s plan is for informing clients about a breach, and how they mitigate dangers. This should be documented and well-defined: beware of vendors who seem to be making their plans up on the fly. You want them to be transparent, well-prepared, and in control.
Keep Track of Access
Catalog which tools and files your third-party vendors have access to. You need to know which departments or individuals have permission to use your data, and you can’t always be sure this won’t be misused (by accident or design).
Ask vendors to explain why they require access, and don’t be afraid to get a second opinion if their reasoning doesn’t ring true. A reliable team will be able to explain their requests clearly.
Make sure to check files and tools on a regular basis, to confirm everything is as it should be. Report the first sign of any discrepancies.
Build Your Own Contingency Plans Around Vendors
You need to be prepared for an attack, no matter how good your vendors are, it’s no longer a matter of “if” but a matter of “when”. And this has to go deep, too, so your entire business knows how to proceed if the worst happens.
Think about critical systems which your daily operations depend on. If they were to go down, what processes could your workforce continue to perform? What alternative systems do you have to rely on, if any?
Determining the level of damage, a cyber-attack would make on your company, and identifying ways to mitigate that, is crucial.
Next, consider the incident response readiness and the team. Which employees would be most valuable in this group? How would they be alerted to an incident and how long do you expect it to take for them to go into action?
Another important process to focus on when building your contingency plans is testing. Running experiments can help you assess the quality of your response to attacks, the length of time it would take to communicate with vendors, and how long it might take to get your systems operating again.
Try to make tests a learning process, so you can see where improvements are needed. You might find your vendor is hard to reach in a crisis, or they seem ill-equipped to provide the fast response promised. Either is a major red flag.
Third-party risks can increase businesses’ vulnerabilities to attack, but a cautious, strategic approach to choosing and monitoring vendors can help to keep you safe.
A professional security consulting service will help you understand the risks you face when working with third parties, how to manage them better, and keep your security at its best. ,
Better yet, some cybersecurity firms can help you implement an affordable and automated third-party assessment programme, including initial due diligence and on-going monitoring.
Want to schedule a free consultation and start improving your third-party cybersecurity posture? Just get in touch with our team now!
Steve E. Driz, I.S.P., ITCP