Third-party risk management

Criminals look to attack businesses embracing the Internet of Things (IoT), targeting small to mid-sized enterprises (SME) providing services to global organisations.  

One of the predictions made in the 2018 Cybersecurity Predictions released by Stroz Friedberg, an Aon Company, is that global organisations will need to factor the way their business partners use the IoT into the increased complexities of third-party risk management. The inherent risk lies in a large company being brought down by a cyber-attack on a small vendor or contractor that targets the IoT as a way into their network.

“It is crucial for large organisations to update their approach to third-party risk management, and for small and mid-sized enterprises (SMEs) to implement better security measures, or they could stand the risk of losing business,” says Kerry Curtin, Business Unit Manager: Financial Institutions at Aon South Africa.

Enterprises continue to interconnect endpoints, objects and platforms to their networks, disintegrating traditional network perimeters, converging the digital and the physical worlds and creating new security challenges.  Businesses are expected to have employed 3.1 billion connected things in 2017.  Beyond devices, companies are linking more business processes to the internet to gather data, drive efficiencies and automate, monitor and control operations. 

This boom in usage could generate up to $11 .1 trillion a year in economic value by 2025.  Yet, IoT devices are notoriously unsecured and proper patch management programs will continue to be overlooked in 2018 according to Stroz’ predictions.

“The security vulnerabilities introduced by how businesses are utilising the IoT therefore present substantial risks, and even if a company’s own IoT ecosystem is relatively secure, the impact of how third parties are deploying IoT is neglected,” explains Kerry.

In a 2017 Ponemon study, only 25% of respondents said the board of directors ask for assurances that IoT risks among third parties are being assessed, managed and monitored appropriately. This is a particular concern for large organisations working with SMEs, given their lower prioritisation of cybersecurity.

Another recent Ponemon study found that 55% of small businesses reported having been breached in a 12-month period between 2015 and 2016, yet a tiny minority said they view it as the most critical issue they face.

“As enterprises derive more efficiencies from working with SMEs in 2018, hackers will pinpoint smaller businesses that utilise IoT platforms and devices to gain entry into larger businesses. An example is criminals targeting ATM manufacturers and maintenance vendors working with large banks,” Kerry illustrates.

“Additionally, organisations face risks from smaller service providers of printers or copy machines, security camera systems and other connected endpoints through which client data can be exposed if hacked.  As a result, demand for visibility into third-party security will increase and smaller vendors bidding for contracts will have to demonstrate stronger cybersecurity measures around IoT,” says Kerry.

“It is absolutely critical that large organisations broaden their third-party risk management programs and due diligence processes to account for weaknesses in vendor IoT security. Likewise, SMEs bidding to work with them will need to improve and document their cybersecurity measures,” Kerry explains.

“The risk that cyber-crime poses affect all companies, big and small, and that is why you need a qualified risk advisor by your side who is able to take your business through a comprehensive cyber risk assessment in order to mitigate your exposure to third-party risk,” concludes Kerry.