In today's digital landscape, the reliance on external third-party suppliers, freelancers and partnerships has become universal. This dependency, however, comes with significant cyber security risks, as evidenced by the sharp rise in third-party and supply chain breaches. An extreme example was seen in the July 2024 CrowdStrike-Microsoft incident, where an issue in one entity led to massive downtime for another, showcasing the cascading effects of such reliance.
For small businesses, this issue is particularly pressing. Unlike larger corporations, which can leverage extensive resources and conduct comprehensive security assessments, small businesses often lack the same level of influence and capability. This raises an urgent question: How can small businesses protect themselves in an environment where they cannot directly control the cyber security measures of their external partners?
Addressing this dilemma can be crucial for ensuring the resilience and security of smaller businesses in an increasingly interconnected digital economy.
Why should Third Party Due Diligence be a necessity?
Third-party breaches are on the rise. These now account for 15% of all cyber breaches identified in the latest Verizon Data Breach Investigations Report (DBIR), marking a 68% increase over the previous year. This category of breach includes “partner infrastructure being affected and direct or indirect software supply chain issues, including when an organisation is affected by vulnerabilities in third party software”.
Furthermore, as identified in our previous blog post (Unpacking the 2024 UK Cyber Security Breaches Survey), supply chain risk management is a practice undertaken by the minority. Just over one in ten businesses say they review the risks posed by their immediate suppliers (11%, vs. 9% of charities). The figure increases to 28% for medium businesses and 48% for large businesses, highlighting just how infrequently small businesses conduct due diligence on their third-party risks.
If we are seeing a rise in third-party cyber security breaches but low levels of due diligence, something must be done to ensure small businesses understand and manage this risk.
Addressing the Awkwardness
You might think that as a small business, you lack the leverage to perform or enforce due diligence on any third party. However, this concern is relevant for all businesses, and now is the perfect time to establish foundational processes. While it may lead to some awkward conversations, cyber security should be part of your due diligence process.
You likely won't choose a supplier based solely on their security; other factors such as cost and quality will understandably take priority. However, this risk should not be neglected.
One main challenge is raising the issue with your third parties in the first place. However, as highlighted in the previous sections, this risk is too significant to ignore. We recommend starting by identifying and recording your suppliers in a simple spreadsheet with the following columns:
Supplier name and details
The service they provide
Supplier’s criticality to business operations
Supplier’s access to confidential data
Then, for those suppliers who are critical and/or hold confidential data, choose the ones which need further checks carried out. For smaller organisations, this can be in the format of audits using questionnaires to understand their current security practices. Following this, you can leverage tools to enforce necessary security measures.
For some larger providers you may use, their information usually is publicly available. For example, Amazon Web Services post their compliance reports online, you can see their ISO 27001 certification here.
This process is a balancing act, while it’s important to have controls in place, you must also avoid potentially damaging relationships by appearing to “police” your third parties.
This tension often leads to another challenge: enforcing too many requirements, which may be rejected. For example, requesting a freelancer who uses their personal device to install specific software might be met with resistance, as this may be seen as monitoring their personal device.
So what should you do?
Managing third-party security is highly context-dependent, varying based on whether you are assessing the security of a freelancer, a supplier, or a large enterprise. It's essential to focus on key security areas relevant to their roles and interactions with your business. See below for our recommended approach with freelancers.
Key Third Parties and Security Areas to Consider:
Here are some examples of third parties you may look to assess, though this list is by no means exhaustive:
Suppliers/Partners
Cloud Service Providers
Software Vendors
Managed Service Providers (MSPs)
Freelancers/Contractors
For the majority of these third parties, the following security considerations may be relevant:
Compliance with Security Standards: Check for adherence to standards such as ISO 27001, SOC 2, and Cyber Essentials.
Service Level Agreements (SLAs): Review SLAs to ensure they meet your security expectations.
Vulnerability Management: Assess their approach to vulnerability management, including whether they conduct regular penetration tests.
Privacy Regulation Compliance: Ensure they comply with relevant privacy regulations, such as GDPR.
Data Backup and Recovery: Validate how they keep data secure. Check their data backup and disaster recovery plans to ensure data availability and integrity.
Failover and Redundancy: Evaluate their failover and redundancy measures to ensure service continuity during disruptions.
This information can be collected in your due diligence process.
Considerations for Freelancers and Contractors
Freelancers and contractors, while not employees, often perform critical functions for your business, such as virtual assistance and software development. As a result, their security practices are crucial, though it can be challenging to enforce strict controls over devices you do not own. Consider the following areas:
Device Hygiene
Ensure their devices (if personally owned) have antivirus software and new software updates are installed within a two-week window.
Verify that devices are locked with strong, unique passwords, especially for critical accounts.
Data and Systems
Prohibit storing or processing organisational data on any non-approved platforms.
*You may want to embed security requirements in contracts signed by your freelancers/contractors. A soft example of the requirements is included at the bottom of this article.
Tools for Enforcing Security Controls
Mobile Device Management (MDM):
MDM tools allow for centralised management of device security, verifying that necessary controls are in place. However, MDM can be seen as intrusive, especially for non-company-owned devices, as they are managing the entire device.
The criticism usually stems from the inability of MDM to distinguish between 'personal' use and 'work' use. This means that anyone using their own device doesn't have a clear separation between personal and work activities, and the security controls apply to the entire device.
Mobile Application Management (MAM):
An alternative method is MAM. MAM focuses on application-level security. It ensures that devices meet specific conditions to access applications, which is less intrusive as it doesn't require device monitoring or control. For example, Microsoft Intune's conditional access features allow access to applications like Outlook only if the device meets security requirements, such as having a six-digit PIN when unlocking the device.
To Summarise - Short-term Awkwardness to Prevent a Potential Long-term Issue
In today’s digital world, relying on third parties for services and partnerships introduces significant cyber security risks, which are on the rise according to recent data. For small businesses, managing these risks is crucial but challenging due to limited resources and potentially uncomfortable conversations.
Conducting third-party due diligence for cyber security is essential for protecting your business. Breaches are increasing, and many small businesses often fall short in this area. It is vital to start by auditing and reviewing third parties to assess their security practices, even if this is just measuring foundational areas like antivirus and update frequency.
While tools such as Mobile Device Management (MDM) and Mobile Application Management (MAM) can enforce and validate security practices, they must be implemented carefully to avoid disrupting relationships. By addressing these areas, small businesses can enhance their cyber security and better safeguard their operations.
If this is something you require assistance with, or any help with small business cyber security, you can book a free call here or get in touch.
Example Security Contract Annex for Freelancers and Contractors
“In order to ensure freelancers/contractors can work efficiently and effectively whilst looking after our data and systems, it is important that good security practices are in place.
The following are ways freelancers and contractors are expected to protect themselves and our company from security incidents.
During the contract with insert company name
Devices - Keep any devices used for our work secure:
Antivirus:
Use company provided, or your own antivirus software on all devices used for our work.
Keep the antivirus software turned on, updated and scanning your device automatically on a weekly basis
Updates:
Keep your device operating system up to date within 2 weeks of the latest version
Keep your internet browsers and any downloaded applications up to date within 2 weeks of the latest version (E.g. Chrome, Edge, Safari, Microsoft Office etc.)
Passwords
Keep an unpredictable password or passcode on any devices used for work purposes to protect them if lost or stolen
Data and systems - protect organisational data and systems:
Use the company provided password manager account to create and store long, strong passwords for any organisational related accounts
Store your company passwords only in the password manager, and nowhere else
Use a strong master password and multi-factor authentication on your password manager
Carry out any security training provided by us
Don’t store or process organisational data on platforms not approved for business use. Approved platforms are: Google Workspace, Notion, Github…
Don’t store any organisational data on your device
Communication - let us know if something doesn’t look right: X@Company.com
When the contract with insert company name ends
As stated in your work contract, the Contractor agrees that all Contractor Work Product will be the sole and exclusive property of the Client.
Upon termination of a contract, share all work products with us and then delete it permanently.”
Comments