Cybersecurity and Third-Party Supplier Risk

Enterprises today are being driven to adopt technology at an unprecedented pace as society witnesses what could be referred to as the Fourth Industrial Revolution (4IR). This technological adoption has been driven by factors such as the quest for efficiency, technology advancements, labor shortages, risk mitigation efforts and, arguably the most impactful factor in recent history, the COVID-19 pandemic. The pandemic has resulted in a transition to remote work, which helped organizations continue operations while restrictions related to virus mitigation were in place. While technology has been of great assistance, enabling remote working arrangements to ensure business continuity, it has also brought about an increase in cyberattacks and malicious cyber activity.¹

Cyberthreats introduce risk to business operations and to systems, whether they are managed internally or outsourced to third-party suppliers. Cybercriminals are encouraged by any disruption while organizations are forced to revisit their risk attitudes toward some of their processes to ensure or restore a smooth workflow. Not only are the systems used by the enterprise at risk, but also those used by their third-party suppliers. This is particularly concerning for organizations whose operations rely on third-party support and capabilities.

Enterprises must not only assess their own security environments, but also understand the security environments of their third-party suppliers. Third parties must demonstrate that their states of governance and cybersecurity are on par and in harmony with those of the organizations with which they work supporting systems without introducing weaknesses for exploitation by cybercriminals. An enterprise must treat the third-party supplier’s environment as an extension of its own to ensure security. These are 2 major mandates for any enterprise infrastructure and accompanying third-party supplier, as the objectives of each may not align as smoothly as one would expect.

Enterprises must not only assess their own security environments, but also understand the security environments of their third-party suppliers.

A recent example of the risk involved with supplying support services to clients and their networks is the well-publicized SolarWinds cyberattack, named after the US company that was targeted.² SolarWinds develops software to assist enterprises in managing their networks. The US government had used a software developed by SolarWinds and attackers were able to send a hidden Trojan code during a standard software update. This allowed hackers to infiltrate other connected programs within the client’s enterprise network and exfiltrate confidential information. The SolarWinds attack is a notable example of a supplier cyberattack and an example of an attack on a third-party vendor and its potential implications for other clients. It also signifies the importance of collaborating with third-party suppliers to set and achieve security standards to effectively mitigate risk. Enterprises must ensure that their teams are trained appropriately and that they acquire the necessary capabilities and tools to collaborate with third-party suppliers.

The SolarWinds example highlights the interconnectedness of cyberspace and the need for collaboration at the sectorial, national and global ecosystem levels to develop effective cyberdefenses. The security of an enterprise not only relies on its own employees, suppliers, and contractors, but it also on those from other organizations in its own geography and in the wider global economy. An enterprise may exhaust its resources dealing with challenges in securing its systems, but to ensure that similar security is governing other users of cyberspace requires a global security defense mechanism, which means open communication with other partners and even competitors.

To mitigate risk, an enterprise requires a realistic examination of its operations to establish the means by which it could be attacked. An organization’s risk mitigation strategy must take into consideration the following ever-changing factors:

• Attackers and the tactics they use to understand the organization’s risk management approach
• The current and the ideal security environment
• Any new operations introduced into the enterprise
• New markets into which business may expand
• New competitors in the market

To improve cyberdefenses, it is vital that defense measures are defined appropriately, along with defense policies and procedures. Enterprises must communicate their defense measures effectively and openly and ensured that they understand the cyberdefenses of their third-party suppliers and, thus, have ensured effective cybersecurity in the organization. The key to achieving a transparent and tough attitude toward cybersecurity is for organizations and third-party suppliers to work together.

There are numerous recommendations that can help reduce cybersecurity risk when working with third-party suppliers:

• Ensure that third parties are required to meet enterprise cybersecurity standards and that the same standards are imposed on any subcontractors.
• Ensure that regular testing (e.g., penetration testing) or exercises testing technical systems are conducted regularly.
• Ensure that access controls are such that a user’s access is dependent on their need to do their job based on their roles; no other access is given to them and there is widespread use of zero trust in the enterprise.
• Implement enterprisewide use of multifactor authentication (MFA) for all high-level access.
• Implement systems to detect possible security threats and notify the appropriate contacts upon detection.
• Study and prepare for third-party supply chain attack scenarios.
• Prepare team members through mandatory security training and certification opportunities.
• Specify security requirements in third-party contracts (e.g., service level agreements [SLAs], escalation protocols) and work with the procurement function to integrate these elements into any supplier contracts.
• Ensure that cybersecurity expectations from smaller suppliers are fairly balanced between security and the effective use of available resources.
• Ensure that if any issues are identified, they are corrected, customers are duly informed and risk mitigation procedures are followed.

Conclusion

For most organizations, cyberrisk is inevitable and must be mitigated. While it is easier for enterprises to ensure that their own systems are secured and any risk factors are well mitigated, they may not always be aware of the cybersecurity risk posed to their third-party suppliers’ systems. This makes third-party supplier risk difficult to mitigate, but it is not impossible. The secret is to ensure that organizations and their suppliers have proper risk management systems and processes in place and that communication between each party is clear and transparent. As long as enterprises have this particular aspect of cybersecurity risk on their risk register, there is no reason why cyberrisk cannot be mitigated effectively.

Endnotes

¹ Deloitte, “Accelerated Digitalisation Leave Businesses Susceptible to Cyberattacks” 
² National Cyber Security Centre, “NCSC Statement on the SolarWinds Compromise,” United Kingdom, 21 December 2020

Nasir Ali, CA, CFE

Is an independent consultant working closely with organizations to perform cybersecurity assessments and advising boards on how to ensure that risk is mitigated. He is a fellow member of the Institute of Charted Accountants in England and Wales (ICAEW) with experience working internationally with Big Four accounting firms. Ali is also a member of the Financial Reporting Panel at the Institute of Chartered Accountants in Scotland.