Speakers
Synopsis
This presentation explores the critical yet often overlooked threat of third-party risk in cybersecurity. It highlights real-world examples of how vulnerabilities in the supply chain have led to devastating data breaches and outlines a proactive approach to building a more secure digital ecosystem.
The Expanding Attack Surface:
Today's interconnected business landscape means organisations rely on a vast network of vendors, manufacturers, and software providers. Each third-party introduces potential vulnerabilities that hackers can exploit to gain access to core systems and data.
Real-World Examples:
The 2013 Target data breach, where hackers infiltrated a point-of-sale system through a third-party HVAC vendor, serves as a stark reminder of the consequences of neglecting third-party security. Similarly, the recent SolarWinds supply chain attack demonstrates how a compromised software update from a trusted vendor can have widespread ramifications.
Types of Third-Party Risk:
Third-party risks extend beyond data breaches. Outdated software, weak physical security at a manufacturer, or even disgruntled employees at a vendor can all pose significant security threats.
Notifiable Data Breaches:
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm. This is a major concern for Australian organisations.
Building a Secure Supply Chain:
A proactive approach to third-party risk management is crucial. This includes:
- Risk Assessment: Conduct thorough assessments to identify vulnerabilities before entrusting data or access to third parties.
- Contractual Safeguards: Establish robust security clauses in vendor contracts outlining security standards, compliance requirements, and incident response protocols.
- Regular Audits: Regularly assess vendor security practices through audits to ensure adherence to agreed-upon standards.
- Collaboration: Foster open communication and collaboration with vendors through joint security training and information sharing to identify and mitigate risks.
Pitfalls of automated tools:
Utilising an automated tool that scans ‘external’ websites provide a false sense of supply chain security. They don’t provide valid insights into the security of the supplier.
Comprehensive Process to manage supply chain risk:
The following recommendations will provide a baseline to build a robust cyber security third part risk management program:
- Create a questionnaire based on relevant industry frameworks. The NIST framework is a good start.
- Define roles and responsibilities when it comes to conducting risk assessments. Assign dedicated personnel to perform the risk assessment if possible.
- Classify suppliers based on criticality of the services that they provide and sensitivity of the data that they have access to.
- Assessments should be periodic.
- Set realistic timelines. The process is extremely demanding, especially for medium-sized to larger organisations.
- Continuously improve the process. Learn, adapt, and improve. Managing third party risks is a challenging but necessary undertaking.
