GCHQ’s NCSC warns that third party suppliers may be businesses’ biggest cyber security risk.
Despite spending millions on cyber security enhancements and compliance around the General Data Protection Regulation (GDPR), organisations remain reluctant to address the weakest link in their IT security environment – their supply chain and associated third-party relationships.
A report in October from the UK National Cyber Security Centre revealed that the GCHQ offshoot had stopped almost 1,200 attacks in the past two years and is fighting off around 10 attacks every week.
Addressing third party cyber security risks are challenging and significant.
For larger organisations, procurement decisions are usually made without input from those responsible for cyber security, and such agreements can provide access to critical systems via open application programming interfaces (APIs) and other interaction mechanisms.
Supplier relationships are also overwhelming without a standard process to manage cyber risk when the relationship is via an arms-length contractual arrangement. Many organisations are struggling to address their internal network security issues and have not sufficiently considered the risks beyond their own network.
But third party cyber security risk is too significant and too dangerous an issue for board members to continue to overlook.
NIS Directive
Current regulatory initiatives including the Networks and Information Systems (NIS) Directive and GDPR require organisations to take responsibility for ensuring that external suppliers have implemented adequate cyber security measures.
Both NIS and GDPR require notification to the Information Commissioner’s Office (ICO) no later than 72 hours after an organisation is aware of a data breach or a cyber incident having a substantial impact on its services.
Many data breaches affecting large organisations occur within a third party service provider. Organisations that do not have the contractual provisions and processes in place with these suppliers to secure the necessary information surrounding the data breach are unlikely to meet the 72-hour deadline.
Missed deadlines and poor or inaccurate information reveal due diligence and contractual failures. These failures increase the risk of a regulatory investigation and significant financial penalties.
But regulatory fines are just the beginning. There are also civil liabilities, as well as loss of consumer trust and investor confidence that result from a cyber breach. Under GDPR, individuals can claim compensation for material and non-material damage.
A data controller is jointly and severally liable for the damage if it was in some way also responsible for a breach due to unlawful processing by a data processor.
To mitigate these risks, organisations that outsource cyber security functions should comprehensively review their third party contractual arrangements and revise their internal procurement processes and procedures to include cyber security assessments. These reviews should, at a minimum, assess, document and monitor these agreements.
Cyber threats are on the rise in both number and complexity. They are purposely attacking the supply chain. Recent regulatory approaches under NIS and GDPR require organisations to take an active role overseeing their third-party providers.
Failure to do so can result in regulatory fines, civil liabilities and reputational loss. Investing human and financial capital now to assess and mitigate risk can help significantly reduce these liabilities, protect an organisation’s reputation and strengthen consumer trust.
If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW