Recent world events have accelerated digital transformation programmes in organisations of all sizes and sectors. As businesses create more connected products, integrate new technologies or enter new partnerships, they need to ensure they are not exposing their data and systems or their clients’ data to cyber risks, says Paul Kenealy, co-founder & managing director at Threat Essentials.
These threats are only set to grow as the Internet of Things (IoT) connected devices will amount to 30.9 billion units worldwide by 2050, over four times the world’s current population, according to research from Statista. And it is not just through an organisation’s own systems. Third-party suppliers of software, programmes and networks are equally at risk, adding to the attack surface and opportunity of each user regardless of size.
How many organisations are left vulnerable in this way is not fully known, but the problem cannot be under-estimated. So-called ‘third-party risk management’ is the new cybersecurity issue of magnitude that few are aware of and understand.
Here, Paul Kenealy, co-founder & managing director at Threat Essentials explains how managing third-party cyber risk from a robust threat intelligence approach not only reduces risk but creates new strategic advantage too.
The rising cyber security threats in a connected world
As the world becomes more connected, third-party relationships are becoming more common; a recent Gartner report suggests that the median organisation contracts with as many as 5,000 third parties. The more third-party relationships that businesses have, the more susceptible they are to hacks and ransomware incidents making third-party risk management more important than ever.
Ultimately, it’s not just data that is at risk, as cyber breaches can result in large pay-outs for organisations no matter how big or small, in addition to damaging their reputation. A recent survey by the Ponemon Institute found that 53% of organisations have experienced a data breach as a result of a third party, with each breach costing an average of US$7.5 million (€6.30 million), as reported by Security Boulevard.
The high number of cyber breaches from the supply chain suggests that many businesses do not have the tools, resources or knowledge to protect themselves from attacks. This is backed by research from Ponemon Sullivan that shows there is a significant gap between the monitoring of IoT devices in the workplace and the IoT of third parties.
Recent high-profile third-party hacks include Canada Post, which allegedly experienced a third-party data breach through their supplier, Commport Communications, showing that third-party cyber risks are becoming a trending modus operandi for threat actors. They are seeking to exploit the weakest link in a supply chain, targeting organisations that hold a significant amount of digital data to ensure they pay ransomware charges to prevent data from being made available on the dark web.
The key take-away? Organisations must ensure they know which third parties can access their systems to prevent future attacks. Third-party risk management solutions scan vendors and evaluate their cyber risk level, delineating where they fall short and allowing them to remediate their shortcomings.
With a third-party risk management solution in place, organisations can share with their vendors a standard of cyber security expected from them, including assurance for IoT security. This assures not only their own cyber security, minimising avoidable costs of ransomware, but organisations can also position themselves as cyber-safe partners.
Understanding your cyber threat intelligence
The first step to understanding your cyber threat intelligence is to level up your knowledge of the current landscape and the dangers in the supply chain, particularly in the C-suite levels of businesses and company decision-makers. It is also important for companies to know who is assigned responsibility for the security of the organisations’ IoT devices, performing risk assessments and control validation techniques.
According to a 2020 study by BlueVoyant, 29% of CIOs, CISOs and chief procurement officers surveyed said that they had no way of knowing if a cyber risk emerges in a third-party vendor. However, attitudes towards cyber risk management are changing, with companies putting it higher on their top priorities. In the same study, 81% of respondents said that their budget for risk management had increased by an average of 40%.
This shows that C-suites are becoming more aware of the need to protect their digital assets in the current context, where connected technologies are becoming a norm to facilitate business processes but also a risk to the overall integrity of their organisations.
Unlock your cyber risk management potential
The increased demand for IoT devices means that organisations need more advanced technological solutions that leverage data to help identify threats and minimise the likelihood of an attack. Current solutions can ensure that third parties have declared all of their past incidents to reduce the attack surface and verify that their devices and networks are protected, increasing trust in partners.
Third-party risk management can also present a range of additional benefits for organisations. Scanning the cyber hygiene of clients will become the industry standard, so companies should begin increasing their security for a competitive advantage.
As more regulation is enforced, organisations should attempt to stay ahead of the trends to keep their reputation, relationships, devices and data safe from harm.
The author is Paul Kenealy, managing director at Threat Essentials.