Whether you are a small independent trader or a multinational, all businesses have essential relationships with suppliers and clients, providing goods, services or expertise. For many it is practically impossible to do business without the assistance of such third parties.
This inevitably opens the door to a host of cybersecurity risks, risks that can be difficult to quantify unless the proper procedures are in place. BS 27036 is the multi-part standard that offers guidance on treating and understanding these risks. As Stephen Scott, Senior Manager, Information Governance, BSI Cybersecurity and Information Resilience points out, “If you don’t have a clear understanding of what your relationship is with someone, what data you’re sharing with them, and what’s the ultimate goal of the relationship, you’re going to be lost.”
A prime example of a third party breach is that suffered in 2014 by Loyaltybuild, a company which provided loyalty programmes to several Irish supermarket chains. When Loyaltybuild was hit by a devastating data breach, it was their supermarket clients that received the bad press and suffered a corresponding hit to customer confidence. An unfortunate outcome bearing in mind that improving customer loyalty was the ultimate goal of their relationship.
Later investigations revealed deep flaws in Loyaltybuild’s cybersecurity. If their clients had taken third party risk management seriously and conducted adequate due diligence, the problems would have been apparent at the outset. The breach that put Loyaltybuild out of action, caused reputational damage to their clients and led to the loss of thousands of customers’ sensitive data could easily have been avoided.
In many cases, third party relationships are managed on an ad-hoc basis. If no structured process to acquiring third party partners has previously been in place at an organization, simply identifying who your third party partners are and what your relationship with them is can be a time-consuming task. But it is an essential first step to effective risk management.
The list of reasons to engage with a third party is endless. Breaches can happen to third parties upstream or downstream, so everyone is likely to be affected by some sort of breach sooner or later. Third parties may be required to provide ICT equipment or services, outsourced services may be required when acquiring a specialized competency, expanding to new geographies, with the provision of call centres or penetration testing. Most businesses understandably want to focus resources on their core function, making the use of third parties a logical and pragmatic solution. But regardless of the type of relationship involved, a structured approach to risk management is essential.
BS 27036-1 is the standard which provides organisations with an overview of the guidance to assist in making their information systems and supplier relationships secure. It explains the relevant concepts in detail and is applicable to the cybersecurity of both suppliers and acquirers of goods and services.
An essential tool in building a structured approach to cybersecurity and understanding the requirements that organisations will be tested against is BS 27036-2. This standard specifies the requirements for implementing, operating, monitoring and improving third party relationships with suppliers and clients. The standard gives guidance on forming a mutual understanding on each party’s approach to cybersecurity and tolerance of security risks. This includes guidance on onboarding, monitoring and exiting partnerships with third parties.
The onboarding process should start by defining the goal of the partnership and the potential risks, bearing in mind what type of data is exchanged, how and where it is to be used and whether the third party may, themselves, outsource some of the work. Any contract with a third party must include a clear roadmap for receiving assurances that cybersecurity is maintained as agreed.
Once a third party relationship is underway, it must be audited in a transparent and regular manner in order to verify that agreed-upon controls are applied and so that any changes in the relationship can be understood. Third parties should also be held responsible for reporting any breaches that do occur. Depending on the scale and nature of the risks identified at the start of the relationship, auditing may simply take the form of a self-completed questionnaire or could involve site visits.
A frequently overlooked aspect of third party risk is the exiting of partnerships. Shared data must be able to be accounted for and returned, and a future roadmap put in place to manage any legacy relationship.
Putting in place structured processes, in line with international standards, not only helps to minimize risk and to maximize accountability, it also makes forming new third party relationships faster and more easily repeatable. In the future, these processes are likely to be increasingly automated, meaning that less time will be required to manage relationships. However, proper management of third party risk will always require the same basic understanding of how the relationship with the third party works and what its goals are in the first place.
BS ISO/IEC 27036-1:2014 provides an overview and outlines the fundamental concepts
BS ISO/IEC 27036-2:2014 specifies requirements for information security for supplier relationships
BS ISO/IEC 27036-3:2013 provides guidelines for ICT supply chain security
BS ISO/IEC 27036-4:2016 provides guidelines for security of cloud services
Protect your businesses reputation with cybersecurity standards
Compromising supplier relations due to third party breaches could be damaging to your reputation. Standards can help you safeguard the personal data of both customers and clients, protect valuable IT infrastructure, and manage cybersecurity processes effectively to mitigate the threats of cybercrime. Discover the key standards needed for cybersecurity.
Protect your businesses reputation with key cybersecurity standards, find out how you can access all the key cybersecurity standards with British Standards Online Library (BSOL). Build your own collection of standards to help you to identify, assess, manage, and treat supplier risk.
Get in touch today and stay in control of your business with a cyber strategy in place.