Understanding the risks of third-party service providers
What are the risks for charities with working with third-party service providers?
You may have seen the BBC article a couple of months ago about a cyber-attack on an IT company that serviced several charities holding sensitive personal information.
One of the common misconceptions about cyber security is that outsourcing IT removes the cyber risk. Whilst it may provide multiple advantages for your organisation, it is vital to carry out due diligence still and be aware of the risk of indirect cyber attacks where criminals breach a supplier’s network and gain access to your organisation’s data. Indirect cyber-attacks of this nature have risen from 44% to 61% over the past few years, according to a Global Cyber Security Outlook 2022 report.
Consider the following risks of using third-party service providers:
- Reputational damages: Should one of your suppliers experience a cyber breach, your reputation could be damaged. After all, data has been entrusted to you and your management or association with the affected company could come under scrutiny.
- Compliance concerns: Regulators are increasing pressure on organisations to better manage their supply chain risk. For instance, a third-party donor relationship management service that processes your donors’ contact details, would still make you the data controller, if they had no purpose for the data besides processing on your behalf. As such, you could suffer financial penalties for failing to comply with appropriate regulations if a supplier experiences a cyber-security breach.
- Operational issues: If a software vendor experiences a cyber-attack, your services could be offline for a significant time. Extensive downtime may result in productivity losses and a damaged reputation.
It’s essential to conduct due diligence before granting third-party suppliers access to your IT systems. It’s worth noting that while vendors may have adequate safety protocols at first, they may not always retain them. Therefore, it becomes your responsibility to monitor a third-party supplier’s performance and security measures for the duration of your dealings with them. Additionally, only work with vendors who have responsible security safeguards, business continuity plans and disaster recovery strategies.