Securing the Weakest Link: A Guide to Third Party Cyber Resilience

By James Rees, MD, Razorthorn Security

We live in a business world where vast amounts of our critical services are delivered to us as a service. The world of on premise solutions has all but disappeared – sure, there are still some systems that operate on premise but these days, more key services are delivered to users and organisations as a service solution. This has increased profitability, allowed small companies to gain access to software and systems that previously were out of reach and has dealt a significant blow to piracy. The benefits of services in the cloud with tools such as CRM, project management, finance, accounting, SIEM, collaboration tools, cloud providers, etc are all very apparent as these services and the companies providing them have exploded in the business world, but with this comes a rather significant problem which is playing out in real time day in day out – these solutions, and the underlying organisations providing them, are not adequately secure.

Recently there has been a huge increase in the number of cyber attacks on service providers, with security incidents in firms such as MOVEit, London & Zurich, New Relic, CTS and so many other suppliers currently in the news. It’s clear that the lack of security throughout the supply chain is affecting numerous organisations, not just the ones that directly experienced a cyber event. Cyber events targeting service providers cause significant loss in productivity, money and reputation to numerous customers of those services. This is becoming a significant issue and while legislative bodies and compliance frameworks within the business world are slowly starting to focus on this problem and amend their frameworks to compensate, this is not happening fast enough. The problem is real and happening right now.

Rethinking Third Party Security Assessments

One of the areas of defence in depth that companies rarely take seriously is third party security. The ones that do will often only send a service provider a simple questionnaire to attempt to validate what level of security they have internally. It is not enough – more often than not, these questionnaires are not showing a realistic and accurate depictions of the state of security at these service providers and in some cases service providers are outright lying to get the business. Even more worrying is that service providers themselves are using as a service cloud companies to create their offering and they themselves are not doing adequate secure due diligence on THEIR providers, leading to a chain of insecurity where a security event can occur that has a ripple effect through the chain, like a child throwing a rock in a lake.

The current landscape of cyber threats and vulnerabilities demands a more comprehensive approach to third party security. A simple questionnaire is not enough to assess the complete scope of a service provider’s security posture. A better approach involves conducting thorough security audits, vulnerability assessments and penetration testing on these service providers. This will provide an in depth understanding of their security practices and identify any potential weaknesses that could be exploited by cybercriminals.

Elevating Standards: ISO 27001, NIST & Third Party Security

In addition to this, companies should also require their service providers to adopt robust security standards such as ISO 27001 or the NIST framework. These standards provide guidance on implementing effective information security management systems and identifying potential risks. Another added safeguard is to get a recognised information security company or professional to undertake a full security assessment of these organisations to further validate that these standards and frameworks are being effectively and efficiently managed as a secondary validation. This could be required by the end customer before that customer procures that solution.

It is also crucial for companies to understand and enforce these requirements throughout their own supply chain of their service providers. If these providers are outsourcing or using other third  party services, individual companies should extend their security assessment to these additional parties as well based on a criticality review of that service provider.

Contractual Safeguards

This will lead to the need for contractual agreements with service providers to include not only clear clauses about data protection and breach notification obligations but also ‘right to audit’ clauses. This is to ensure that they are not only assessing security when they procure initial service offerings but to also ensure on-the-spot reviews can be undertaken at any given time, either randomly or if the customer suspects a security incident from that service provider.

In conclusion, the increasing reliance on service providers has brought about numerous benefits, but it also poses significant security risks due to the interconnected nature of these services. As such, businesses must take proactive measures to ensure that their service providers are effectively securing their systems and adhering to robust security standards. This includes conducting thorough security audits and assessments, enforcing stringent data protection provisions in contractual agreements, and insisting on ‘right to audit’ clauses to allow for random checks and investigations when necessary.

The role of cybersecurity in today’s business landscape cannot be overstated. It is not just about securing one’s own systems; it extends to ensuring the security of all third party service providers involved in delivering critical business services. It is a collective responsibility that requires a comprehensive approach, from due diligence during procurement to ongoing monitoring and assessment of these service providers’ security practices.

By adopting this approach, businesses can strengthen their defence against cyber threats and minimise the risk of data breaches that could potentially result in significant financial losses and reputational damage. The need for rigorous third party security is a reality that all businesses must acknowledge as they continue to navigate the complexities of our interconnected digital world.

Contact us today to review your third party security strategy and find out how to strengthen your defences.