Cybersecurity and Third-Party Risks
Global companies are getting compliance overload, especially when it comes to third party risks. As we have seen over the years, third-party risk management involves significant risks on anti-corruption, AML, fraud, sanctions, human trafficking and a host of other threats to a company’s reputational standing.
But that is not all – you have to add cybersecurity to the list of third-party risk management issues. Why?
A global company conducting business with third parties may increase the risk of cybercriminals circumventing cyber protections through the third party. I know it sounds scary but the fact is that third parties could be the proverbial back door into a company resulting in a major cyber-attack and hack of company data.
Take for example the increasing use of the Internet of Things (IoT), the growing network of physical devices, vehicles, home appliances and other devices that contain software, sensors and network connectors to transmit and exchange data. In the absence of building cyber protections in these operations, a small vendor or contractor that deals with a global company may become a target for a cybercriminal. Once launched, the cybercriminal may be able to find his or her way into the global company’s network and circumvent existing cybersecurity functions.
Global enterprises continue to interconnect endpoints, objects and platforms and expand the Internet beyond the existing definitions of a “network.” Businesses are estimated to connect as many as 3 billion objects to the existing network and expanding past network devices and linking to the Internet to gather data, operate efficiently, automate and monitor business operations. The expansion of the Internet in this way could have a significant impact on overall economic growth and increased productivity.
The risk, however, is significant because IoT devices are generally unsecured and lack basic protections. As a result, IoT devices create substantial vulnerabilities, especially when a third party deploys an IoT device.
A recent Ponemon study found that only one-quarter of responding companies assessed, managed and monitored third-party cyber risks. (See Here for Study).
Global companies will eventually have to impose cybersecurity standards on their third parties, especially small and medium size businesses. Another study found that 55 percent of small businesses had been breached in the year 2016, and few small or mid-size organizations view cybersecurity as a major risk. (See Here for Study).
Small business involved in sensitive technologies and peripherals could be targeted as an easy access point to a financial institution or other major global company’s operations – It is easy to imagine a cyberattack initiating through a small vendor’s equipment that may provide an important function for a global business thereby circumventing elaborate cybersecurity protections.
Global company due diligence processes will need to address cybersecurity risks as part of initial screening, risk analysis and contracting steps. IoT security issues will need to be identified and third parties will have to meet basic cybersecurity requirements.