The cyber risks we’re facing from third-party suppliers

This means that if your supplier is not POPIA and GDPR compliant, or if a breach in their systems results in the release of our sensitive data, the Regulator could hold your business accountable. 

According to the 2022 Security Trends: Software Supply Chain Survey, approximately 30% of organisations were either significantly or moderately impacted by a software supply chain attack – in other words, through a third-party supplier being hacked, which opened a back door into their systems.

Most IT executives are aware of this trend (and vulnerability). Attackers are opportunistic, adapting to whatever foothold they can gain, regardless of the source.  This creates headaches for CISOs as they must now secure their own IT environments, as well as assessing the security effectiveness of the third-party vendors too.

Digital transformation means we’re becoming so interconnected that vulnerability is virtually everywhere. The biggest challenge with third-party risks is that they can impact the company without any initial red flags or alerts going off. 

Third parties are required to comply technically and contractually to adequate security controls to ensure that the supply chain does not pose any weaknesses and gaps in the overall information security of the organisation. This responsibility falls on employees as well as leadership and authorisation should be confirmed before new vendors and companies are engaged with or any information is shared. Similarly, any contracts predating POPIA should be reviewed as well.

How do third-party suppliers and cyber risks impact employees?

There are a number of ways that employees are directly impacted by this growing threat through third-party vendors:

• Employees in the company must ensure that our company’s supplier/vendor onboarding procedures are strictly followed when engaging with any new vendors or suppliers who share information. This includes onboarding a new marketing agency or perhaps a financial services company. A crucial part of the partnership agreement is the verification of the vendor’s information security hygiene.
• If the new vendor/supplier has weak security controls in place, it has a direct impact on the safety of an organisation's information security, and so all third parties should comply to your safety standards.
• Understandably in today’s world, we connect, collaborate and work with new people and businesses daily. Every business therefore has a responsibility to protect its clients’ data across these platforms. As such, staff must be mindful in everyday data handling tasks. Customer information is of critical importance and needs to be protected to avoid any potential risks.

Third party risks in action

To demonstrate the impact of third-party risks, we will use a local example from May 2022. In early May, a large business launched an investigation into a data hack at one of its third-party service providers that resulted in an ‘unauthorized person (that is, a hacker) accessing the personal details of its customers.

The company revealed the hacker gained access to first names, surnames, email addresses and cell phone numbers belonging to more than 3.6 million people.

This business had to immediately take steps to establish the scope of the breach and restore the integrity of its operating system – and how third-party vendors create additional security vulnerabilities.

The legal implications

If your data infrastructure holding the personal information of customers, employees or suppliers has been compromised, or you believe it has been breached by an unauthorized perpetrator. Your business is required by law to inform the Regulator and the data subjects (anyone whose data we hold or who exist on our system with digital profiles, including users, customers, and employee digital profiles).

The business in our example also had to notify those possible affected and request them to be vigilant.

Providing personal information only when there is a legitimate reason.

When it is a large breach, the business may also need to formulate a general media release that includes the protective measures (for example. cancel credit cards) and what the business will be doing to prevent this in future.

Preparing for the future

A new age of cyber security has been characterised by more sophisticated cyberattacks, widespread adoption of digital and analytics transformations and workplace changes. All these conditions challenge existing third-party and supply chain security management procedures.

More than ever before, businesses must treat information handling with care to protect the client’s information just as securely as they would protect their own personal information.

Remember, common sense is your best defense and by educating yourself on this topic, it puts you in a much stronger position to avoid being targeted.