Skip to main content
search

Third party breaches are on the rise - so how should organisations respond?

The recent health data breach involving MediSecure has been traced back to a third-party vendor.  This comes just a week after The Australian Privacy Commissioner warned third party vulnerabilities were “a real weak spot,” for organisations when several NSW and ACT clubs were involved in a secondary breach – which saw more than a million Australians’ data being leaked.

These incidents align with the findings of the latest report by the Office of the Australian Information Commissioner (OAIC), which revealed that third parties are a growing source of data breaches. In the past six months alone, while there have been 483 notifications related to direct data breaches there have been 121 secondary data breaches (which are those arising from third parties).

 This underscores the critical need for improved third-party risk management practices in today’s complex organisational environments.

So how should organisations respond?

David Vohradsky, Cyber Security Practice Lead at Avocado Consulting says there is an urgent need to reevaluate and enhance procurement processes to effectively mitigate such risks.

“The latest third-party breaches highlight the urgent need for procurement processes to consider IT and security from the start. Often, IT departments are left out of business purchase decisions, resulting in delayed risk mitigation.”

“This issue is particularly problematic in organisations that prioritise agility and autonomy over coordinated security efforts. And, especially for those operating in high-risk environments such as healthcare, financial services and critical infrastructure.”

“For example, without proper oversight, anyone within an organisation can purchase low-cost but high-risk software-as-a-service subscriptions, bypassing protocols – ultimately leading to security breaches.”

“The fact is, just because your third party is compromised, doesn’t mean you’re not responsible.”

David VohradskyCyber Security Practice Lead
Third party data breach

“Traditional procurement practices need to shift towards a model that ensures consistent security measures across all organisational departments and procurement processes. This ensures that all third-party engagements are evaluated not only for their business value but also for their compliance with security standards,” says Vohradsky.

Vohradsky suggests a tiered strategy that is a collaboration between IT and Executive Management to balance business needs and value with security requirements.

“In Avocado’s experience, including both business value and IT/cyber risk considerations in a tiered vendor management strategy, with regular reviews and coordinated efforts, will help assess financial and security risks effectively. This integration ensures that every dollar spent advances business goals while maintaining a strong security posture,” Vohradsky adds.

Vohradsky elaborates, “By coordinating processes through both security and financial lenses, organisations ensure effective and value-driven spending, considering technology fit and risk. For example, breaking down higher risk Tier 1 vendors to be managed monthly and both Tier 1 and Tier 2 vendors to be reviewed annually. This approach ensures regular evaluation of vendor performance and alignment with strategic and security goals.”

The recent breaches serve as a stark reminder of the vulnerabilities that can arise from inadequate third-party risk management. As organisations strive to remain agile and competitive, it is crucial to implement comprehensive procurement strategies that integrate IT and security considerations from the outset. Doing so will not only protect sensitive data but also support sustainable business growth. Read Third Party Risk FAQs below, learn more about Avocado’s third-party risk management services, or enquire now.

Submit an enquiry

Third Party Risk Management Frequently Asked Questions

When would I need a third-party risk assessment?

  • Your organisation is undergoing digital transformation, and you aim to proactively stay ahead in the rapidly evolving landscape.
  • You are involved in merger and acquisition activities, which require thorough evaluation of the cyber risks associated with the transaction.
  • Whenever your organisation procures third-party software or IT services, it is essential to conduct a risk assessment to ensure security and compliance.
  • If your business operates within a complex supply chain or deals with suppliers operating in high-risk environments, a third-party risk assessment becomes crucial to identify and mitigate potential vulnerabilities.
  • Your organisation enters contracts with government departments or operates in high-risk industries, emphasising the need for comprehensive risk assessments to meet regulatory requirements and safeguard against potential threats.

Who should be undertaking a TPRM assessment?

If you have an extensive supply chain and insufficiently managed third party cyber risk, you need help from an experienced third-party assessor like Avocado.

Significantly, all critical infrastructure industry sectors – communications, data processing, energy, financial services, health care, food, education, space, transport, and water should have a robust risk management framework including managing their third party risks.

Government sector agencies that need to ensure a consistent management of third parties across their cluster should be scaling their third party risk assessment capability as a priority.

How often should I conduct a TPRM Assessment?

A third party risk assessment should be conducted at least annually and at contract renewal for all medium and high risk third-parties.

Are all TPRM assessments created equal?

No – Third-party assessments are increasingly becoming standardised and generic. They often lack the utilisation of cutting-edge technology and can drag on for months to complete. In some cases, under-resourced teams treat them as mere checkbox exercises or limit the scope to a subjective list of the most critical suppliers.

To maintain the thoroughness of your assessments and adopt a risk-based approach, it is crucial to conduct third-party risk and cybersecurity assessments for all suppliers and Software-as-a-Service (SaaS) procurements. We can partner directly with customer experience teams to provide a turnkey service with minimal cyber team review required and a deeper- service offering.

Is there a cost-benefit to outsourcing a TPRM Service?

Avocado offers a cost-effective solution to save your in-house team a significant amount of money. We achieve this by addressing your backlog of unmanaged risk, which may include assessing numerous suppliers. By relieving your team of this task, they can focus on strategic cyber priorities and risk management remediation activities.

Avocado specialises in delivering high-volume, low-cost burst capability, eliminating the need for an in-house cyber GRC resource to be available on demand for urgent assessments. Alternatively, we offer a managed service at a fixed cost.

Avocado’s Third-Party Risk Management (TPRM) Services combine cutting-edge technology with expert consultants to ensure frequent and robust assessments.

What is the process for a TPRM assessment?

First, we provide the supplier with a questionnaire and request evidence, which may include external audit reports such as ISO 27001, SOC2 Type II, and pen test results. The customer can choose to handle this process independently or engage our services on a time and material basis to assist in gathering and reviewing the evidence.

Next, our team conducts a comprehensive assessment, thoroughly examining the supplier’s security practices and capabilities. We delve beyond the surface level, offering a deeper service offering. We evaluate each identified gap for control effectiveness and assign a risk rating. Additionally, we provide an executive summary that includes recommendations to address the identified gaps and enhance security.

Subsequently, we collaborate with the customer, reviewing the assessment findings and addressing any follow-up questions or concerns they may have. This ensures a clear understanding of the assessment results and allows for clarification or further discussions as needed.

Ultimately, the final outcome of the third-party risk assessment is a comprehensive report that ratifies the supplier’s security measures. The report includes the control effectiveness and risk ratings for each identified gap, empowering the customer with actionable insights and recommendations to strengthen their security posture and mitigate risks associated with third-party engagements.

What are the next steps after a TPRM assessment?

After conducting a third-party risk assessment, several likely next steps can be taken:

  1. It is important to address and close any identified gaps based on the assessment’s recommendations. Additionally, residual risks should be effectively managed, both by maintaining a risk register and considering the overall risk profile of the supplier. Many companies fail to do this, and in such cases, a cyber Governance, Risk, and Compliance (GRC) solution like MyRISK can help manage the outcomes.
  2. Avocado offers assistance in designing additional controls through their security architects to mitigate any gaps identified in third-party relationships.
  3. If the evidence provided by the supplier regarding their security measures is insufficient, Avocado can provide penetration testing services to further validate the security of their systems and processes.
  4. In cases where the supplier’s response to the assessment is inadequate, Avocado can provide external audit capabilities to ensure compliance and address any shortcomings.

Avocado has a full-service capability that can help throughout this process so organisations can effectively manage and mitigate risks associated with their third-party relationships.

Book a consultation

Regardless of your how strong your overall cyber security program, unmanaged third-party risk will impact your enterprise’s survival. Contact our team today to discuss your third party risk management (TPRM).

Your trusted business partner for TPRM

Discover the Avocado difference

Leading experts

We have proudly delivered IT services with certainty for 20+ years, with extensive cyber security knowledge across health, education, retail, and financial services industries, with international connections through industry body memberships.

Certified

Our resources are highly-regarded across the industry, with multiple certifications including CRISC, CISM, ISO 27001, and QSA.

Trusted Partner

Australian based reviews - with 10 years of experience providing cyber service to ASX listed companies and government agencies.

Superior Customer Experience

Experience deep service offerings with company due diligence, financial due diligence, service quality assessment, cyber security assessment, SOC 2 / ISO review, contract review at a fixed price low cost.

Holistic Service Offering

We offer the full scope of cyber-advisory including due diligence, financial due diligence, service quality assessment, cyber security assessments, SOC 2 / ISO review, contract review, at a fixed price.

Fast turnaround

Once a supplier responds, our TPRM assessments take typically 1 week to turnaround.
Third Party Risk Management

Reinventing and securing the omni-channel customer experience

Read the case study
Third Party Risk Management

Navigating the backlog of third party vendor risk assessments

Read the blog
Close Menu