Published: January 19, 2024

Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.

Featured Cyber Incident — Third-Party Risk in Professional Services

The professional services industry encompasses a wide range of businesses that provide specialized knowledge, expertise, and advice to clients. As a result, the reciprocal nature of their business operations introduces unique information security challenges.

What is Third-Party Risk?

Third-party risk refers to potential threats and vulnerabilities arising from external entities. It is particularly pertinent among professional services due to their unique business ecosystems in dealing with a variety of clients from different industries and handling their sensitive information. Therefore, there is a possibility of increasing susceptibility to overall information security risk, including the following:

  • Supply Chain Issues: Supply chains are interconnected systems and processes of all stakeholders (including vendors, manufacturers, service providers, and their partners) contributing to an organization’s business operations. Such complex systems could involve vulnerabilities from dependencies on external parties, such as risks associated with their compromised information assets as a result of security breaches in their networks.
  • Application Programming Interface (API) Issues: API is a set of protocols and tools that allows different applications to communicate with each other to facilitate the seamless exchange of data and functionalities between them. Such API integration in their supply chain could bring additional threats to an organization’s systems if poorly secured or misconfigured.

Supply chain risk can be impacted by API risk—this relationship significantly influences the overall third-party risk. As the top security concerns have been discussed by industry experts, managing this risk is crucial for maintaining data integrity and confidentiality in the professional services environment.

Action Items for Mitigating Third-Party Risk

  1. Assess Third Parties’ Security Practices:
    • Conduct thorough security assessments before engaging with them
    • Evaluate their security policies, incident response capabilities, industry certifications, and adherence to best security practices
  2. Establish Clear Security Requirements in Contracts:
    • Develop formal, written contracts outlining security requirements
    • Specify data protection measures, encryption protocols, and incident response procedures
    • Include clauses for prompt reporting of security incidents and cooperation in investigations
  3. Define and Implement Identity and Access Management (IAM) Roles:
    • Implement a robust IAM system to manage third parties’ access rights by defining and enforcing at least privilege access
    • Regularly review and update IAM roles to detect unauthorized access and address changes to configuration
  4. Monitor Third Parties’ Security Practices:
    • Implement the continuous monitoring process to update security protocols and revoke their access when necessary
    • Utilize intrusion detection systems and threat intelligence for anomaly detection
    • Conduct periodic security audits to ensure their compliance

    In conclusion, by incorporating these measures into your organization’s security practices, third-party risk can be mitigated.

    The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving threats. We recommend you leverage a managed security service provider (MSSP). We have partners who can help, here. For more information, visit our Small Business page.

    Reference

    https://www.infosecurity-magazine.com/news/supply-chain-top-security-concern/

    About the NCSS

    The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.

    The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.

    Submit a Comment