Managing Third-Party Cyber Security Risk

Managing third-party cyber security risk is a critical challenge for organisations. At the Australian Financial Review Cyber Summit last week, ASIC Chair Joe Longo spoke about the reliance of Australian businesses on third parties and the software supply chain security risk which organisations face. Australian organisations from small to very large all rely on third party suppliers to varying extents, as a strategic pillar of efficient business operations to improve service delivery and reduce costs. As part of these day-to-day operations, businesses share critical and sensitive data and documentation with service providers. These third parties become data custodians of the original information, and it’s critical to understand and review the steps they take to safeguard this information.

Two of Australia’s acute cyber security breaches over the last year highlight third party risk:

• The HWL Ebsworth law firm data breach led to 2.5 million documents being exfiltrated from HWL Ebsworth systems, with more than 1 million of these documents containing sensitive, confidential and legally privileged client information being published on the Dark Web and other locations. Government agencies, banks and smaller clients, discovered that their confidential information was in the public arena as a result of a service provider’s systems being compromised.
• The Latitude Financial data breach led to almost 330,000 customer documents being downloaded from Latitude’s systems. This breach arose through business email compromise for a user who had logged in with credentials that were jointly issued by Latitude and one of its trusted service providers who provided credit checks on customers applying for a new financial product with Latitude. Very few people know or care that the breach appeared to occur through DXC technologies. Regardless of where the attack began, Latitude was deemed to be responsible for it.

You can outsource functions, but you can’t outsource the risk. That’s what companies like Latitude need to understand. They just have to invest in security themselves… The reality it’s the Latitude brand that gets impacted, and that’s what I hope is the lesson learned from this attack: you’ve got to know who your service providers are…

Nigel Phair, Chair of Crest

There are increasing voices in government and industry to ensure that large third-party outsourcers and software providers are held to account for flaws in their systems that affect their downstream customers and users. In particular, that could lead to a shift in accountability and liability for vendors of software products and services to ensure they incorporate security-by-design into their development practices.

Steps for managing third-party cyber security risk

In the current environment, the onus remains on organisations to oversee management of third-party cyber security risks, ensuring that vendors and partners meet the required cybersecurity standards and practices – and as emphasised by Joe Longo, Boards are responsible for ensuring that this takes place to an appropriate level.

CyBiz recommends that organisations adopt a prioritised approach to third party security, with detailed oversight required for strategic suppliers where those suppliers:

• manage critical outsourced functions;
• hold or have access to your organisation’s sensitive information; or
• are able to generate credentials for access to online systems, even with restricted privileges.

Here are some best practices we recommend to effectively manage cyber security risks for strategic suppliers:

1. Risk Assessment and Due Diligence: Conduct thorough risk assessments of potential third-party suppliers before engagement by assessing their cybersecurity measures, data handling practices, and overall security posture.
2. Contracts and SLAs: Clearly outline cybersecurity requirements in contracts and service level agreements. CyBiz recommends that for strategic suppliers, it is best practice to enter into a stand-alone Information Security Agreement (aside from the substantive contractual arrangements) which should define the cyber security standards and procedures, security responsibilities, data protection measures, incident response procedures, compliance with applicable laws and regulations, and liability for breaches.
3. Ongoing Cyber Security Audits and Assessments: Regularly perform cyber security audits and assessments to monitor the security performance of third-party suppliers. Evaluate their cybersecurity controls, processes, and policies to ensure they align with your organisation’s standards and establish a schedule for ongoing assessments. For strategic third-party suppliers this may involve penetration testing or red-team activities. Ensure that suppliers address findings and implement corrective actions when needed within agreed timeframes. This should be linked to contractual SLAs, with repercussions for non-compliance.
4. Mandatory Cyber Security Standards: Ensure that you review and are satisfied with supplier internal cyber security controls. For example, ensure that suppliers use encryption and other security measures to protect sensitive data, and implement measures to ensure data integrity, confidentiality, and availability throughout its lifecycle.
5. Access Controls and Monitoring: Enforce strict access controls and monitoring mechanisms for third-party access to your systems and data. Utilise multi-factor authentication (MFA), role-based access, and regular monitoring to detect unauthorised activities. Ensure that credentials need to be regularly refreshed and that your organisation’s password protocols are imposed on suppliers.
6. Incident Response Planning: Collaborate with suppliers to develop incident response plans that detail actions to be taken in case of a security incident. Establish clear communication channels and escalation procedures to promptly address and contain potential breaches.
7. Regular Training and Awareness: Educate third-party suppliers about your organisation’s cyber security policies, procedures, and expectations. Offer training to enhance their awareness of current cyber threats and best practices for mitigating risks. Involve supplier personnel in wargame tabletop exercises to simulate response to cyber security incidents.

Following these practices won’t remove your third-party cyber security risk, but will enable you to identify and address key risks, and manage the overall relationship to strengthen your organisation’s overall security posture.

Make third-party compliance with your organisation’s cyber security policies, standards and procedures mandatory. For those which are unwilling or unable to meet these requirements, develop a clear exit strategy and decommissioning plan which revokes credentials to removes third-party access to your information and systems, and ensures secure data transition, removal, or destruction as per your organisation’s policies.

Contact CyBiz for assistance with all of your third-party cyber security needs, including creating legal and contractual frameworks, due diligence, ongoing assessment, training or decommissioning.