On a very basic level, third party cyber risk management (sometimes shortened to TPCRM) is the process of managing the risks that your partners and suppliers pose to your business’s information security.
In practice, this means making sure you don’t get hacked through the systems of other companies.
Is third party risk a big threat?
Yes, absolutely. Breaches originating from third parties often result in serious losses. Research from IBM shows that the average cost of a data breach is $2.4m.
When you consider the number of third parties (suppliers, software vendors, service providers) store of have access to your company’s data, these numbers begin to feel very real.
But it’s not just data breaches. If the company you rely on to deliver ‘widgets’ was hacked and couldn’t deliver your order, what would you do? How would a gap in production affect your revenue?
What about reputation? Let’s say your ‘widget’ supplier is hacked. None of your customer data is stolen but the widgets can’t be delivered. Your customer deliveries are delayed by a week. Two weeks down the line, you Google your company’s name and notice negative reviews in the results. If you’re seeing it, so are your potential customers. So the effects of that supplier’s hack will bother you for years to come.
How do third party data breaches happen?
Almost all hacks or other data breaches involve a real human inside a target organisation. But your business (probably) isn’t filled with double-agents waiting to sell your information to the bad guys. In reality, people are tricked into sharing credentials such as passwords.
How? Phishing. The bad actor sends an email pretending to be someone else. That email contains a link to a fake login page. The person logs in and the bad actor has their password.
Clearly, it’s often more complicated than that but most attacks originate from this exact process. And training your staff not to click links in emails isn’t the answer – no amount of training will protect your systems.
Now, not only are you at risk of your staff falling for this, but the staff of every other company you interact with as well. We operate in an age of hyper-interoperability. Think of every company which has access to your information. It could be your payments processor, your HR software, your accounting software, your email provider or even the company that prints addresses on envelopes to your customers. Or any one of the other businesses you interact with without even thinking about it.
How can I stop third party cyber attacks?
The cold truth is that you can never stop cyber attacks. They are highly technical exercises being completed by very skilled people. But you can make great strides towards protecting your company from them.
- Make a note of all the companies you share information with
This list will be longer than you expect. As we explored above, you need to get really detailed. Think about all the information held in your email system, your company chat platform, HR and finance tools, marketing operations, file sharing software etc. And that’s before you get to traditional ‘suppliers’. - Audit the cyber security risks they each pose
Don’t worry! This takes a lot less time than you think. Using a tool like Darkbeam’s Horizon platform, you can upload their websites and receive a detailed audit. It usually takes a few minutes from signing up to getting your audit.
Darkbeam’s audits can be ordered by risk, so you’ll see your highest risk suppliers at the top and lowest risk at the bottom. - Work with your third parties
Communication is key. Your suppliers might already know about some of the problems highlighted. Or you might be doing them a favour by asking.
For example, Darkbeam will give you a list of company email addresses which have been hacked (usually using the phishing method above) and are for sale to other hackers on the internet. Your supplier will likely be very grateful if they didn’t already know!
Reducing your exposure to third party cyber security risks is an ongoing process. After following the steps above, you are already protecting yourself better than a lot of companies do.
Create a free Darkbeam myHorizon account and take a big step forward in protecting your company from third party cyber risks.