Upward Trend: Cyber Risks Associated With Partners and Suppliers

Cyber risks pose a serious threat to companies, which is why protection against these risks is fundamental. Many companies have already realized this and control their own digital security. However, they only have limited control over the security measures of their partners and suppliers. These in turn can cause far bigger threats in certain circumstances than is the case with internal vulnerabilities. Violations of third parties can also result in unpleasant surprises, as without due care a contractual party can be liable to the same extent.

More Than Half of Companies Have Already Experienced a Data Breach by a Third Party
The “Data Risk in the Third-Party Ecosystem” research of the Opus & Ponemon Institute shows that 59% of companies from the US and the UK were affected by a data breach by a third party in 2018. This is one of the most rapidly increasing risks for a company’s sensitive data. According to the research, over three quarters of organizations in total believe that the number of cyber incidents by third parties will grow. However, not all of them recognize the need for action. Less than half of all companies find the management of relationships with third parties a priority. Yet more and more companies rely on third parties. They purchase a wide range of IT-based services such as cloud storage, CRM solutions or SaaS platforms from partners and suppliers. The CRM system is a good example. CRM involves the entire customer data of a company. If some malicious parties hack the system of a CRM provider, they will compromise all personal data of a company’s customers.

It Is Necessary to Take a Holistic View on the Company’s Vulnerability
The more services companies outsource, the more active they need to be in controlling the threats they are exposed to through their partners and suppliers. It is indispensable to take a holistic view on the vulnerability of the company, including third parties, to implement the right protection measures and processes. Potential security risks must be addressed and reviewed already at the stage of selecting and onboarding partners and suppliers. Once the contract is concluded, third-party risk management also covers monitoring of contractual provisions and critical digital interfaces (vectors). Bruce Schneier, renowned cryptographer, summed it up in one sentence: “Security is a process, not a product.” Looking into each internal unit can make the bigger picture collapse. Therefore, cyber security should always be approached holistically for the company to be protected in all possible ways. This is why an offensive Digital Risk Monitoring is key and decisive for expert advice.