Fleet Transport June 2020

Third-party cybersecurity
risks and how to manage
them more efficiently
Herman Errico, Senior Cybersecurity Consultant,
Cyber, Risk and Advisory at BSI Consulting Services
The presence of cybersecurity risks
due to different governance structures
and security controls can be vast and
challenging in Ireland and across global
supply chains.
Supplier risks may result in data
breaches that expose a company’s
information or their customers personal
data and can have a significant impact
on an organisations’ people, finances,
and reputation.
Whether a company has been in
operation for multiple years or just
starting out, adopting a more structured
approach with increased visibility,
controls and preparedness could support
a better cybersecurity and information
security risk management.
Managing suppliers’ cybersecurity
and information security risks has always
been a challenge for many organisations.
Normal procedures may be bypassed
or ignored due to a reduction in staff
or users may not be accustomed to
the standard processes that need to be
followed. There may be downloading of
applications or procurement of services
from untrusted sources. This along with
the escalation in cyber threats through
online scams, phishing, and malware,
that are exploiting the current situation,
are putting companies at risk.
The recent pandemic has highlighted
the need for trusted suppliers that
can provide reasonable assurance.
Organisations are faced with
unprecedented challenges, such as
extensive remote working and increased
stress levels that could expose employees
to phishing attacks. In this context
a reliable supplier is a fundamental
requirement to ensure that remote
operations are securely carried out.
What are the main supplier relationship
risks?
BSI carried out research recently
that outlined the main third-party
uncertainties in order of the highest risk
levels as:
• Lack of reasonable assurance
on information security controls
implemented by the third party
• Inadequate information security
governance, risk tolerance and
compliance practices or different
cultural or organisational attitudes
resulting in gaps in security
requirements and controls
• Conflicting or different information
security controls that interfere or
weaken the information security of
the other party
• Over reliance on supplier’s services
and capabilities designed to ensure
compliance with acquirer‘s own
information security requirements
resulting in unintended controls
dependencies
Implementing an effective third-party
risk management programme
By strengthening a company’s
information resilience, and adapting
best practice on how we work remotely,
SUMMER 2020
cyber security
Herman Errico, Senior Cybersecurity Consultant at
BSI Consulting Services
organisations can reduce threats to their
data.
The risks for acquiring services vary
from onsite physical and remote access
to information and information systems,
to offsite information processing,
equipment, and applications.
The first step for many companies is
their procurement policy for the planning
of a new service or product.
At the selection phase a supplier
risk management programme should be
implemented which would include the
support of a third-party management
tool, a questionnaire, a review of the
supplier risk profile - graded from very
high, high, medium to low.
The resulting supplier report would
then be shared with the information
security department who review it, assess
the supplier’s risk, and whether they can
be reduced. If the supplier is successful,
then an agreement is drawn up outlining
the responsibilities for information
management as part of the contract.
The supplier relationship is reviewed
regularly through audits and assessments
to identify any change requirements.
By managing a company’s third
parties correctly and building good
relationships, cyber threats are reduced,
and data becomes more secure, resulting
in the reduction and prevention of
misuse.
BSI Consulting Services provide a
range of solutions to help organisations
address challenges in cybersecurity,
information management and privacy,
security awareness and compliance. For
more details visit bsigroup.com/cyber-ie
www.handling-network.com 31