Managing increased risk of data breaches through third parties with increased data sharing

Matthew Browning, former Head of Cyber Oversight, Direct Line Group

Below is an insight into what can be expected from Matthew’s session at Vendor & Third Party Risk Europe 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What does the current cybersecurity landscape amongst third parties look like in terms of protection?

The cybersecurity landscape amongst third parties is complex and challenging, featuring a complex web of interdependent suppliers with various levels of cybersecurity maturity. Cybersecurity protection for third-party suppliers remains a significant concern. Many organizations rely heavily on an integrated network of third-party services and products but often fail to assess and manage the associated cybersecurity risks adequately. This has led to several high-profile incidents in recent years, including data breaches that originated from third-party suppliers.

Many organizations are struggling to identify and manage risks associated with their suppliers effectively, and there is a lack of standardization in vendor risk management practices. Additionally, some smaller suppliers may lack the resources or expertise needed to implement adequate cybersecurity measures.

To address these challenges, organizations must continue to invest in their vendor risk management programs, including conducting regular risk assessments, implementing contractual requirements for cybersecurity, and monitoring suppliers for compliance with these requirements. They also need to work with their suppliers to provide guidance and support for implementing adequate cybersecurity measures and building a security culture within the supply chain.

How can we ensure maturity of vendor cybersecurity practices?

Businesses can ensure the maturity of vendor cybersecurity practices by implementing a comprehensive vendor risk management program. These programs must include participation across the enterprise and extend across the entire lifecycle of the third party service provider, not just at vendor selection or onboarding of the supplier.  This will include a robust contract to ensure that vendor contracts include specific cybersecurity requirements as well as a detailed off-boarding process to ensure the protection of any customer data once the services are no longer in use.

Operational resilience of the supply chains should be considered and must include incident response which includes vendors in the event of a cybersecurity breach. This can help ensure that vendors are aware of their responsibilities and can respond appropriately in the event of an incident. This is a crucial step in managing the growing spiderweb of interdependency within the supplier landscape.

What are the risks of data being mishandled throughout the supply chain? How can we ensure the effective handling and treatment of data?

A few risks that can arise from the mishandling of data through the supply chain include: data breaches if sensitive data is mishandled or not adequately protected; data loss either through accidental deletion or malicious destruction; or inefficiencies from poor data quality in the supply chains leading to inaccurate or incomplete data products with resulting decisions impacting customer service.

These have the potential to result in the loss of valuable intellectual property, trade secrets, or other critical data. Regulatory non-compliance, if sensitive data is mishandled, can lead to non-compliance with data protection regulations such as GDPR or CCPA. This can result in fines and legal liabilities.

To mitigate these risks, enterprises need third-party cyber risk management standards and governance frameworks that are in line with the business objectives. The framework should reflect a holistic approach that involves communication, collaboration, and continuous monitoring of their third-party ecosystem. These efforts can help organizations ensure the effective handling and treatment of data throughout the supply chain, reducing the risk of data breaches, loss, and non-compliance.

Beyond third parties, what are some of the most significant vulnerabilities within the supply chain?

Organizations need to be aware of several other vulnerabilities within the supply chain, including the growing interdependency of suppliers with various levels of cyber security maturity, lack of transparency within the supply chain, and increasing risk of regulatory compliance requirements. The supply chain consists of complex multi-tier supply networks of vendors, distributors, and other entities, and each separate link in the chain can introduce vulnerabilities. Attackers may target more minor or less secure elements of the chain to gain access to larger organizations. With this complexity and lack of visibility, there is a greater risk of compromise via an unknown party in the supply chain.

Organizations must ensure that their supply chain partners take appropriate cybersecurity measures and follow best practices. Additionally, clear communication channels and visibility into their supply chain partners’ operations must be established. Addressing these vulnerabilities requires a holistic approach to supply chain risk management, including comprehensive risk assessments, ongoing monitoring, and proactive risk mitigation strategies.

Beyond cybersecurity, there are operational risks to the supply chain’s resilience. The current state of geopolitical disruption, trade wars, sanctions, and regional conflicts can create uncertainty and instability in global markets and affect the availability and cost of materials and components. This has been evidenced in recent years with the chip shortage reducing the availability of critical components forcing IT teams to extend operational lifecycles for certain systems beyond the ideal, making them more vulnerable.  Natural disasters, inclement weather, large solar flares, pandemics, and climate change can cause physical damage and disruption to infrastructure, transportation, and logistics networks.

Addressing these vulnerabilities requires a holistic approach to supply chain risk management that includes comprehensive risk assessments, ongoing monitoring, and proactive risk mitigation strategies.