It’s not what you know but who you share it with!
Imagine your horror on a lazy, coffee-fuelled Sunday morning, browsing the news, when you spot that a key third-party you supply client information to has been hacked. You haven’t been informed. You wonder what data was lost. Your clients know you work with this institution and want to know if their data has been leaked…how do you respond?
After much chasing and frustration, a few days later, you’re finally given the details of the lost files. You learn that despite their headline brand they had very limited security protocols in place. To top it all, you’ve just put the phone down to the local Data Commissioner asking you to send over the process that you and the board undertook to ensure your third-parties were GDPR compliant and had a robust cyber perimeter!
Whether operating a business or managing your personal affairs, most of us operate in networks with digitised supply chains, utilising various service providers and cloud platforms. Hackers know and love this and they aren’t shy to exploit the weakest link in the chain. In fact, third-party breach is a key tactic to infiltrate an organisation and these activities keep dominating the media. For example, in 2018 British Airways (BA) experienced a data breach that was related to a third-party developed module for their website. Hackers stole more than 350,000 credit card details.
So how are others managing third-party cyber security risks?
Staggeringly, many businesses in the Channel Islands rely on suppliers’ brand reputation without any explicit requirements for cyber security standard. Just because they are excellent at what they do, be it custody, legal, accounting or administration, many assume this spills over into their approach to cyber security. It’s estimated that only one in ten organisations actually request facts or even submit a questionnaire on cyber security and instead, blindly trust the third-party source. Smaller organisations in particular struggle to have sufficient bandwidth to resource this process.
Still, the likes of GDPR reinforces this key fact regarding outsourcing – you can outsource the task, but not the responsibility for the task, and more importantly, not the underlying data security. Therefore, you should ensure that your vendors and service providers are utilising optimal cyber security practices, in line with your own risk appetite.
Reputational impact – It doesn’t matter who leaked it, or who allowed it to be hacked, such events damage reputation, customer trust and public perception. Affected organisations will become the focus of unwanted media spotlight and adverse news. It was British Airways who had to deal with the crisis communication and preserving reputation following the recent breach, and not the vendor of the third-party module through which the breach was actually facilitated.
Operational impact – Dealing with data breaches takes valuable senior time and effort, and these two resources are often scarce, impacting your day-to-day activities. But it gets worse – a cyber breach could disrupt the normal operation of your or your vendor’s IT system, for example by encrypting data during a ransomware attack.
Regulatory and legal impact – Increasingly, cyber security is in the regulators’ spotlight. GDPR, although broader than just a cyber security regulation, focuses heavily on measures you’ve implemented in protecting personal information you hold. Fines could be hefty, but there’s also a risk of regulatory visits and audits. Furthermore, litigation costs may be crippling as customers and victims seek monetary compensation.
Financial – It all comes down to this. Whether you’re losing existing and prospect business due to reputation, you’re unable to actually run your operations, or you’re paying regulatory fines and litigation costs; cyber breaches can and will negatively impact your finances.
Doing the right thing
Whatever the stage of your vendor relationships, you can take various measures to manage the cyber risk such as considering your contracting, cyber security assessments, assurance reporting and use of digital tools to monitor your third-parties.
Protecting your secrets… what next?
You should ask yourself who are the third-parties you share data with and do you know how well they are prepared for cyber incidents? Do you know for example how they detect breaches and how they are going to inform you in the case of an incident? If you are not sure and want to manage the risk, add third-party risk assessment to your own cyber toolkit. Knowing about the cyber security of your third-parties is undoubtedly a key part of your cyber perimeter. Remember it is not if…it is when.