Cyberattacks have been an issue for years but in the last few weeks, they have affected millions of Australians and continue to affect more. After the Optus cyberattack, that leaked the data of about 10 million Australians, NAB and Telstra were hit by a third-party data breach. This caused private information of current and former employees to be leaked online but it only affected the staff of the companies, not their customers. This type of attack highlights the importance of collaborating with companies that comply with strict policies when it comes to security.

At Polonious, we are ISO27001 certified which means that we take safety seriously and comply with strict international standards to ensure that our clients are protected. We prioritise confidentiality and provide our clients with a secure place to store their documents and evidence during an investigation. We take many measures to ensure that the information that is provided to us by clients does not end up in the wrong hands.

The incident

Telstra and NAB emphasised that their internal systems had not been breached and this was a third-party data breach that affected limited information of their employees such as their emails and names.

Telstra’s employees’ records from 2017 were compromised, accounting for about 30,000 individuals. The platform that was attacked is called Pegasus, a company that is used for providing employee benefits. It is unknown what is the exact number of NAB records that were accessed. The attack is believed to have taken place for profit and while the information was posted on the same forum as the Optus data breach, there is still no connection between the two. The companies treat this as a low-risk attack as their systems and networks were not affected by it and the data leaked was minimal.

Importance of third-party security

As part of their risk management, businesses can develop their own requirements for collaborating with other organisations. Even if customer data is not shared with them, the safety of the employees is equally important. Employees can lose faith in a company, just like customers, and the cyberattack may cause them to feel confused and undervalued. The community is less likely to stay loyal to an organisation that allows itself to be exposed to cybercrime. So even if the attack is not evidently severe, it could indirectly harm the reputation of the company. 

Third-party risk

Third-party risk exists when the organisation needs to share internal information with external businesses. In a study, 31% of respondents said that it could significantly impact their organisation if third-party vendors were cyber-attacked.  It is a difficult risk to eliminate as most companies will need to work with external parties eventually. This risk requires organisations to assess how other businesses handle cybersecurity threats. It does not only concern their efforts to prevent the attack, but their efforts after an attack has taken place. Assessing how a business partner manages risk is not a one-time procedure. Their policies and activities should be reviewed yearly to ensure that they still comply with the minimum security standards your organisation has set. 

 Yearly budgets and business decisions may change how the third party treats its cybersecurity. A vendor may choose not to allocate enough resources to cybersecurity for a year, leaving them more vulnerable.

third-party

Third-party data breach prevention

Whether a third party is part of the supply chain, employee management or customer management, it is crucial that if the business shares information with them, all data is stored safely. Third parties are harder to manage as they are not under the company’s control. This leaves the organisation vulnerable to a cyberattack, but employers are not completely helpless.

Some strategies to minimise third-party data breaches include:

  • Team allocation
  • Smart contracts
  • Communicate and monitor

Team allocation

As a company needs to allocate a risk management team for other threats, the third-party risk also requires a team that will handle this external threat. The team should be trained on how to recognise high-risk vendors and low-risk vendors and prioritise them accordingly. In the case of Telstra, Pegasus is a low or low to medium-risk external party. A partner that has more control over employee and customer data would be a higher-risk third party. The team should be equipped with the tools needed to assess the company your business is cooperating with to ensure all security standards are met.

Smart contracts

When developing a contract with a third party, it is wise to discuss what your expectations are in regard to security. As cyberattacks can lead to financial losses for the business, it could be requested that the external party provides evidence of high-security standards or they may be liable for any potential financial or reputational losses. It can also be required in the contract that the third party provides adequate training regarding cyberattacks to its employees. Discuss with them if they are willing to be audited to ensure compliance before signing a contract.

Communicate and monitor

It is important to keep a good relationship with all partners and communicate with them regularly so you establish clearly what your requirements are. If necessary, ask them to give you proof that shows they are taking cybersecurity seriously. If they refuse to provide evidence, then the smartest decision is to avoid collaborating with this partner. Even if the risk seems small, a third-party data breach could cause fear for your customers and make them think that safe data storage is not your priority.

If the external party is a high-risk partner, you can ask them for a way to stay updated with their latest certifications and cybersecurity activities. It might also be wise to explain to your partner what your actions will be if a data breach occurs. How fast you expect them to take action and investigate and what your stance will be in the process.

In some cases, it is impossible to prevent a cyberattack. Businesses can develop strategies to mitigate the risk but eliminating it may not be an option. This is why a risk-aware culture is important for companies.

Polonious understands the impact of third party-data breaches so we comply with the highest standards to help keep your business safe. While ensuring our compliance, we can assist your business in improving your investigations and risk management. Reach out if you want to learn more about how we handle cybersecurity and third-party risk.