By Jamie Ahktar, co-founder and CEO CyberSmart

One of the most frustrating things for security professionals to deal with is the element of the unknown. Even if a security team works to do everything right – including patching and updating systems, regularly auditing their online infrastructure, and engaging in security awareness training programmes with wider teams – they could still be let down by those in their supply chain.

Every business has a supply chain. Whether this is a software company that works to provide HR or payroll systems for your business, coffee or paper suppliers, or IT support providers, no business exists in a vacuum. These organisations are a necessary component of business (operations. As a result of this interconnected nature, these other organisations may, to some extent, have access to your valuable business data.  They may even be a part of your digital ecosystem via plugins or widgets.

While this is widespread business practice, it does not come without risk from a security perspective. Although these companies may serve a useful or necessary purpose in the business function of an enterprise, there is no guarantee that they have held their security programme to the same standards that your company has.

Some of the world’s largest organisations have learned this the hard way with high-profile, reputationally damaging data breaches. For example, Marriott hotels, one of the world’s largest hoteliers, fell victim to a catastrophic data breach (their second in 24 months) which affected 5.2 million guests globally when hackers gained access to the Marriott network via stolen credentials from a third-party software used to provide guest services.

This is not an isolated incident. Live event giant, Ticketmaster, and several of its affiliated websites were breached in a similar fashion in 2018.  In this case, malware was discovered in a third-party, AI-generated customer service system which stole details from some individuals who successfully purchased, or even attempted to purchase tickets on the Ticketmaster website.

These incidents and others like them are hugely damaging for enterprises, who live and die by their reputation among customers. Despite the breaches originating with third-party operators, the reputational damage is borne by the household names of Marriott and Ticketmaster.

Not only that, but even if the breach originated in the supply chain of an organisation, they themselves may still be liable to serious financial ramifications as set out by the EU’s General Data Protection Regulation. Indeed, the GDPR states that the regulator could demand up to 17 million, or 4% of an organisation’s annual turnover- whichever is higher. While this remains a theoretical, and probably terrifying prospect for Ticketmaster, for Marriott it is all too real: They were subjected to the UK’s first GDPR fine in 2019 for a separate 2018 data breach.

These fines are, undoubtedly, a devastating blow for enterprises of all sizes. However, the Marriott’s and Ticketmaster’s of this world are likely to weather the storm both reputationally and financially..

This is not the case for most businesses. If a data breach were to occur at an SME for example, the financial and reputational damage could be such that the business is unable to recover. This problem is further compounded by the reality that small or medium sized businesses, particularly those in the embryonic stage, are most likely to be the ones who need third-party help for day-to-day business functions;  seeing as it is often a more cost-effective method of operating than managing in-house.

So what can organisations do to ensure that their partners are taking security as seriously as they are? One important thing is simply understanding where in your digital ecosystem third-party code is being used, or where your supply chain is coming into direct contact with your network. This will help security teams or providers to know where the potential weak links are in your security posture and take appropriate steps to secure them.

Another impactful move is to talk to potential partners or suppliers about their own security setup. Understand what tools or partners they use to ensure their security compliance, and if you suspect that they need to consider security more stringently, encourage them to work with a company who can provide accreditation, support or security audits in order to put your mind at ease. Partners need to be trusted in the same way that members of your own team are. The devastating consequences of what happens if this trust is broken, show that taking security seriously is a benefit to everyone.