Third-party cyber risks demand continuous oversight, says The Cimplicity CEO

Bernard Munyaradzi Chadenga, founder and CEO of The Cimplicity Institute, took the stage at the ITWeb Security Summit in Cape Town to highlight the escalating risks associated with third-party suppliers and partners. A familiar theme, it marked a continued acknowledgment that, despite years of awareness, many businesses remain underprepared for these vulnerabilities. Chadenga’s sentiment underscores a critical turning point in risk management—merely ticking off boxes during vendor assessments is no longer tenable.

In today’s interconnected business landscape, third-party security risks are omnipresent, affecting virtually every company with external relationships. As Chadenga pointedly remarked, “Third-party security risks arise when you have outsiders connected to your business in some shape or form. And let’s face it, who doesn’t?” This stark reality was evidenced recently by a cyberattack on CDK Global, a software provider serving 15,000 car dealerships in North America. The breach illustrated the devastating ripple effects that can occur when a seemingly insulated vendor suffers an attack, emphasising the need for robust cybersecurity measures across the board. As disruptions from such attacks become increasingly common, vigilance in monitoring third-party vendors is essential.

Chadenga’s approach to categorizing third parties into high, medium, and low-risk groups resonates with best practices highlighted across numerous discussions in the sector. High-risk vendors bear a significant weight; should they falter, so too does the business relying on them. According to cybersecurity experts, this group should be subject to rigorous ongoing assessments, including continuous monitoring and regular audits to ensure compliance with stringent security standards. This approach aligns with recommendations from various sources advocating for proactive risk management.

Moreover, the importance of comprehensive vendor assessments cannot be overstated. The blog by Samita Nayak discusses critical areas such as data access and vendor security practices, which are essential to mitigating third-party risks. Such precautions are vital in crafting a thorough vendor management policy, necessitating not just initial due diligence but ongoing oversight to safeguard organizational integrity.

Chadenga cautioned against passivity in vendor relationships, highlighting the necessity for businesses to maintain an acute awareness of their suppliers’ stability and practices. He illustrated this with the scenario of a vendor changing leadership frequently or experiencing drops in credit ratings—elements that should trigger a review process within the contracting company. Monitoring these indicators is increasingly viewed as best practice for companies aiming to build a resilient supply chain infrastructure.

Furthermore, as the sophistication of cyberattacks evolves, various methods employed by cybercriminals have become evident. From compromised software updates to exploiting vulnerabilities in supplier systems, the threats are both varied and complex. As articulated in discussions surrounding contemporary supply chain security, proactive vulnerability management and timely software updates can significantly aid in reducing exposure to these risks. Regular patching, along with a culture of cybersecurity training within organizations, helps equip all stakeholders to understand the potential repercussions of third-party failures.

The stakes are undeniably high; without proper safeguards, businesses expose themselves to operational disruptions that can have far-reaching consequences. The Avetta blog identifies critical risks including phishing and social engineering threats, reinforcing that stringent vendor assessments should become a norm within contracting processes. Adequate due diligence ensures vendors not only meet basic cybersecurity standards but are also continuously monitored for compliance.

Chadenga also offered a stark reminder that while third parties are indeed partners, they are not extensions of one’s business. “You can’t walk into their house and tell them to cook chicken for dinner if they want beef,” he quipped. However, it remains imperative that businesses keep a watchful eye on their activities to safeguard against potential disruptions. With the understanding that third-party relationships can pose significant operational risks, organisations must develop not only contingency plans but also a culture of resilience capable of adapting to the ever-evolving landscape of cybersecurity threats.

As businesses navigate these complexities, the development of robust vendor management frameworks will prove essential, combining thorough assessments with ongoing oversight to protect the integrity of their operations in an increasingly unpredictable environment.

Reference Map

1. Paragraphs 1-3: ^[1], ^[2]
2. Paragraph 4: ^[3], ^[6]
3. Paragraph 5: ^[4], ^[7]
4. Paragraph 6: ^[5]
5. Paragraph 7: ^[6], ^[7]
6. Paragraph 8: ^[1], ^[3]
7. Paragraph 9: ^[4], ^[5]

Source: Noah Wire Services

Subscribe to Industry Updates

Get the latest news and updates directly to your inbox.