Third party risks: knowing your IT Service Provider

Authored by QBE Senior Risk Manager Jaini Gudhka

Accessing the proper expertise, management, and support from third-party IT service providers

In theory, outsourcing your IT should be as easy as using external partners for HR, payroll, legal or accountancy services.

But do you know exactly what you are paying for with an IT Service Provider (ITSP)? And how do you know you’re getting value for money; alongside all the services and security your business needs?

With official statistics showing that 39% of UK businesses identified a cyber-attack on their organisation in 2022 – 83% of which were phishing attacks – it’s little wonder that organisations that do not have a dedicated IT department look to outsource their IT to an expert external provider, or a Managed Service Provider (MSP).

Given the level of investment required to ensure internal IT departments install the correct technologies, controls, and skills, this is not surprising. Statistics showing that outsourcing IT is now the favoured approach by:

• 36% of micro businesses (<10 employees)
• 57% of small businesses (<50 employees)
• 65% of medium organisations (51-250 employees)
• 72% of large organisations (250+ employees)

The challenge for all businesses, regardless of size and sector, is selecting the right service provider. The marketplace is exceptionally busy and highly competitive.

Who is right for your business? Do they understand your business needs, risk profile and strategic direction? Are they proactive? Will they effectively support you in the event of a breach, IT incident or cyber incident?

Employing the services of a third-party reception or payroll service allows for straightforward reviews, but with a third-party ITSP, identifying effective IT management is much harder.

Supply Chain Risk

Both ITSPs and MSPs supply organisations with IT support services. As with all third parties which process data, there is a risk of them being attacked by both external and insider criminals, who could potentially win access to many business networks as a result.

It’s a security trade off; an organisation benefits from the ITSP’s security expertise – but to do that, it almost always needs to grant the provider with access to its data.

Because service providers are part of your supply chain, you are within your rights to clarify exactly what the service provider is offering. Assessing the capabilities of the supplier is critical – once the contract is signed (and indeed, there needs to be one for your protection) you’re stuck with each other.

Supplier assessments are usually conducted using a tailored supplier questionnaire. These questions can form part of the procurement phase, when trying to identify a good service provider – or if your business already contracts out to a provider, to check they are doing what they say they are.

The UK survey highlighted that most organisations do not take this approach, preferring to select on price rather than ability. Unfortunately, in failing to assess the supplier’s capability to deliver a secure service, organisations risk significantly higher financial losses than the annual contract savings.

What’s the problem?

While business owners can transfer part of the risk, as the party contracting out services to a third party, you remain accountable for the consequences of IT and security failures.

For example, if you are expecting a home delivery that fails to arrive, you raise a complaint with the organisation that you purchased the goods from and not the third-party that was contracted to deliver the parcel to you.

The same is true of IT service provision and you remain accountable for the consequences of any service failure that may occur. It is therefore crucial that you ensure that third-party service providers can protect your business.

Case Studies: 

The risk is real and to illustrate we share some real-life examples of what happens when the capability and relationship goes wrong:

Company A

Company A suffered compromised emails which could have been prevented using multifactor authentication (MFA) i.e., the requirement for a password and another piece of information such as a pin number or a biometric to be used. The guidance from the IT service provider had been that MFA was optional and would not be appropriate for the senior leadership team. This advice was fundamentally flawed, and was a significant factor leading to invoice fraud, costing the organisation £95,000.

Company B

While Company B had first class security on their laptops and other devices, the IT supplier had failed to inform the company that the servers in the machine room did not have updated software on them. A criminal exploited known vulnerabilities in the system, leading to a ransomware attack on the organisation, costing £1.5m.

Company C

Company C suffered a ransomware attack and contacted their IT provider. While the provider acted to respond and remediate the situation, they did not involve Company C, which as the data controller should have been heavily involved in the investigation. Without cooperating with Company C and sharing all relevant information of the attack, this hindered their ability to understand their obligations under the GDPR. This resulted in significant additional cost to Company C as they had to carry out their own investigation.

Company D

Company D was compromised through an Internet of Things device on the main company network. The IT supplier did not assess vulnerabilities on the network. The client database was compromised and data exfiltrated to the dark web. Data loss was reported to the ICO alongside clients with reputational damage and costs unknown.

Many of these issues have been experienced due to businesses having ineffective contractual agreements in place with their IT providers (and alarmingly, some having no contract in place at all).  A contract is critical to ensuring expectations are agreed and documented, and it should be reviewed regularly to ensure that obligations are being met.

A good provider will work with your organisation and relevant stakeholders to ensure that the risks are managed effectively, your business is protected, and does not suffer damage.

Advice for businesses

Whilst the National Cyber Security Centre has issued some guidance on supply chain security, here we have provided some guidance and a checklist of items that you can use with your provider. A good provider will be able to answer these questions with ease and provide evidence to support.  

If you are unsure of anything your provider is or isn’t telling you, keep asking. It is important to have effective communication whereby a provider is transparent and helps you understand their service and how potential risk to your business is mitigated.

If your provider makes it difficult for you to get answers to the basic requirements, now may be the time to consider whether they are the right provider for your organisation.  We would recommend conducting a critical supplier review annually. Like many supplier relationships, your organisation may have grown and evolved, and therefore what was right for you when you first engaged a provider, may not be suitable now.

This guidance has been produced in partnership with Risk Evolves