When a major US retailer gave a third party supplier access to its IT systems, it had no idea it would become the victim of hackers. Leading to the USA’s largest retail hacking event with the loss of 60 million customer card details, a $14.5m dollar settlement and significant reputational damage.
Regardless of your business’ size, third party services can give hackers new ways to enter your companies’ systems. Yet there’s a lot you can do to prevent these kinds of attacks, as we explore in this article.
Does outsourcing your software mean outsourcing your liability?
Third party software providers offer a wide range of services that help companies rapidly advance their systems and remove IT security challenges from businesses. Yet, what many firms don’t realise is that, should something go wrong, outsourced supply chain software does not mean outsourced responsibility.
Damian Walton, Managing Director at IntaForensics, says: “We regularly talk to merchants who have been attacked. They tell us that because they’ve outsourced everything, it’s their suppliers who are at fault. However, contractually, if anything goes wrong, it’s the vendor who’s considered liable.”
How can hackers use third party suppliers to get into your systems?
When your company plugs in a piece of software – or you have it plugged in for you – there’s often an assumption it’s secure. But that’s not necessarily the case. As Holly Jackson, Principal Cyber Security Consultant, says: “Any additional software can weaken your IT system if it’s not provided in the right way with the appropriate security standards.”
Risks can come from a wide range of services, including payment technologies, websites and hosting platforms. However, one of the most common entry points is shared servers – servers you share with potentially hundreds of other companies.
These shared servers are a prime target for hackers because one break in gives them access to lots of companies’ systems. This isn’t a major problem if every company on the server has excellent IT security. But a single weak link gives the criminals access not only to the systems of the company whose IT security was poor but potentially to every company on the server.
“Shared server access means you’re reliant on other people having the same security standards as you,” says Holly. “It only costs a little bit more for your own dedicated server. Which makes you less of a target, gives you greater control over your security and helps you reduce your risk.”
The costly impact of being hacked
Once criminals get inside your systems, they can typically access all your files. This could include customer payment card details, customers’ and employees’ personal data, private business information and your IT systems themselves.
These attacks can be very expensive. In some cases, hackers carry out ransomware attacks where they lock down a business’ entire IT system and demand a sum of money to release it. In other events, where data is accessed or stolen, companies can be liable for significant fines. Including from the Information Commissioner’s Office for breaching the General Data Protection Regulations (GDPR).
Firms can also lose future sales due to reputational damage making an investment in IT security money well spent.
The security checks that could save your business a fortune
“When looking for a service provider it’s important to seek companies with certifications such as Cyber Essentials or other recognised standards like ISO 27001,” says Damian.
These quality marks mean the supplier has evidenced they have a certain level of IT security in place. These kinds of checks should form part of your due diligence when contracting new services. “However,” notes Holly, “you also need to check in annually with your providers to make sure their accreditations and protections remain up to date.”
Given that 39% of UK businesses experienced a cyber attack in 2022, we’d also recommend taking a more robust approach, which could include:
- A 360-degree cyber review – an IT security specialist checks different aspects of your IT security and provides rounded advice on how to improve your systems’ protections.
- Penetration testing – involves an IT security specialist legitimately testing and breaking into your systems to find vulnerabilities. A report identifies your security strengths and weaknesses.
- Introducing a managed service provider – like a traditional security company that physically checks buildings, a managed service provider carries out around the clock digital monitoring to protect your systems. If it looks like you’re being hacked, specially installed software will raise the alarm and shut down the attack. Gaps in your system are then patched to help deter and prevent further attacks.
Finding a specialist IT security firm to carry out these measures is vital to ensuring the safety of your systems, the data and your business’ reputation and bottom line. As a leader in IT security, we include the police and government departments among our clients, making IntaForensics a safe pair of hands you can rely on for your business’ IT security.
Find out how we can enhance your IT security by calling us on 0247 77 17780 or emailing us at firstname.lastname@example.org.