Follow us

Gremlins in Your Supply Chain; Key Cybersecurity Issues with Third Parties

October 17, 2024

There has been an increasing spotlight on organisations supply chain and how they manage 3^rd parties – and it’s no surprise that this has happened. Security Magazine recently reported research showed that “98% of organizations are affiliated with a third party that has experienced a breach. Furthermore, third-party attacks have led to 29% of breaches.”

Security Magazine also noted that the sectors with the highest 3^rd party breaches were healthcare and finance.

The recent CrowdStrike incident is a case in point about how a 3^rd party can literally bring everything to a halt, and that’s not the only situation that has brought 3^rd party risk to the forefront of cyber security.

We know that managing the ecosystem of an organisation no longer takes a linear approach – so many radical changes have occurred that have propelled the technology evolution and with this evolution comes risk and none more so prevalent than 3^rd parties who have access to the very environment you are trying to protect.

Whilst focused on financial entities, the introduction of the Digital Operational Resilience Act (DORA) shines a greater torch on 3^rd party risk and how organisations will need to have greater oversight on who they operate with.

What Are the Key Cyber Security Issues with 3rd Parties?

You have no control over their cyber security: And why would you? They’re a separate business entity and yet they have so much control and access to your business ecosystem. Organisations have very limited visibility and control over their cyber security measures. So if they have weak cyber security practises, and they have access to your environment that then makes entry points for attackers very easy.

Access to your data: Yor 3^rd parties may have access to your organisations sensitive data. If your 3^rd parties experience a breach, then your data could also be exposed.

Inadequate incident response: How 3^rd parties react to an incident very much depends on their ability to detect, respond and recover. If they are not monitoring their environment adequately then their delay could also pose a threat to your business ecosystem.

The 3^rd parties insider threats: You have no idea how well trained or aware your 3^rd parties teams are. Inadequate training of their teams may mean that cyber attackers who manage to infiltrate your 3^rd party can infiltrate your systems too.

Compliance and regulatory risks: Third parties not adhering to the right regulations can expose the primary organisation to legal and financial penalties.

What Are the Steps That Organisations Should Take to Mitigate Any 3rd Party Risk?

Ensure stringent due diligence: Conduct thorough cyber security risk assessments on any 3^rd party before embarking in a contract. Review their cyber security policies, past cyber security incidents and insist on continuous monitoring of their cyber security environment throughout the duration of your relationship.

Implement contractual safeguards: Cyber Security measures will need to be considered in any contracts with 3^rd party’s. Include specific cybersecurity requirements in contracts, such as adherence to certain standards (e.g., ISO27001, NIST), breach notification timelines and the right to audit.

Least privilege and access: You need to control what access any 3^rd party has to your systems and data, ensuring that it is only access that is completely necessary using role-based access control to enforce it. But coupled with that you should ensure that regular reviews are periodically performed.

Make sure your data is encrypted: Any data shared with 3^rd parties should be encrypted in transit and at rest reducing the risk of any exposure if a breach occurs. Mask the data so that your suppliers are handling anonymised data.

Architecture of your zero trust: After all this you should have enough elements implemented to trust your 3^rd party but as an added layer make sure your zero trust encapsulates them and continuous verification of access is enforced. This includes network segmentation, multi-factor authentication (MFA) and strict identity and access management.

Regulatory compliance: It is essential you monitor their regulatory compliance – we know there’s enough to do to monitor yours, but you must hold them accountable to adhere to whatever regulatory compliance is necessary. If you are a financial entity then the Digital Operational Resilience Act (DORA) will enforce this and it is our opinion that other regulations will follow, as well as stipulating continual monitoring as an essential part of maintaining compliance.

As ever, proactivity is the key with your 3^rd parties and eliminating as much risk as possible including implementing a cyber security strategy that specifically focuses on their cyber risk. This is not to say that this is not challenging particularly with own organisational challenges, but 3^rd party cyber security must become integral to your overall cyber security strategy.

RECENT POSTS

Trust Is No Longer Assumed: What Boards Need From Modern Assurance

For a long time, trust in assurance was implicit. If controls were documented, audits were clean, and regulators weren’t asking questions, boards assumed the organisation was under control. That assumption no longer holds. Today, trust is no longer something assurance automatically earns. It has to be demonstrated — continuously. A

When Assurance Becomes a Board Accountability, Not a Control Exercise

For years, assurance lived quietly in the second and third lines of defence. Controls were designed. Tests were scheduled. Reports were written. Boxes were ticked. And as long as the audit opinion was clean, everyone slept reasonably well. That model worked very well, when risk moved slowly. But today, assurance

When Point-in-Time Assurance Meets Continuous Risk to the Resilience Dividend

For years, assurance has been built around a simple premise: if controls are designed effectively and tested periodically, risk can be managed with confidence. That assumption held when environments were relatively stable and change was predictable. That world no longer exists. 89% of security professionals say they’re familiar with Continuous

6 Predictions for 2026: From AI Accountability to the Resilience Dividend

Every year, tech pundits release a flood of predictions more recently about AI, but always about cyber, and digital transformation. But most focus on adoption and hype, rarely anticipating the real-world fallout for boards, executives, and risk teams. As we step into 2026, the landscape is shifting faster than

From Cyber Speak to Board Speak: Closing the Gap Between Cyber Teams and the Board

Most cyber programmes don’t fail because the controls are wrong. They fail because the conversation is wrong. Boards and CISOs often believe they are aligned. The Board asks for assurance. The CISO provides updates. Reports are produced. Meetings are held. Yet when incidents happen, the same question always follows: “How

The Five Questions Every Board Should Ask Their CISO in 2026

How Boards Strengthen Cyber Resilience, Improve Decision-Making and Protect Business Outcomes Cyber security has shifted from a technical function to a core component of operational resilience. Boards now own cyber risk in the same way they own financial risk and regulators, insurers and shareholders expect visible accountability. Yet there’s still