Third party cyber risk awareness for government agencies

5 minute read 01.11.2023 Tulin Sevgin, Russell Weir

We examine the third-party cyber risk best practices that government agencies can implement to secure data and protect customers from cyber-attacks.

Key takeouts

Government agencies should conduct a comprehensive data mapping exercise to understand the data types they store, where it's stored and who has access to it including their third-parties. This will set the foundation of a robust third-party cyber risk management framework.

Government agencies can improve their third-party cyber risk management practices by conducting thorough vendor assessments, and defining clear contractual obligations.

Other important factors in strengthening your cyber resilience is employee training, incident response planning, and collaboration with other government agencies.

Cyber security threats have become a growing concern for governments worldwide. The increasing sophistication of hackers, the increasing reliance on technology within government agencies, and the potential for data breaches make it crucial for government agencies to adopt robust third-party cyber risk management practices.

Understanding third-party cyber risk

Government agencies increasingly depend on third-party service providers for various tasks and operations. While outsourcing can provide efficiency and cost savings, it also introduces potential risks, such as unauthorised access to sensitive data, breaches of confidentiality, and compromised critical systems.

South Australian Government's cyber security breach

Recently, the South Australian Government experienced a cyber security breach that potentially exposed data belonging to a significant number of people. The breach occurred through a call centre operator contracted by Super SA, a dedicated superannuation fund for state government employees. Government officials were only informed of the incident nearly two months after it happened.

According to Treasurer Stephen Mullighan, the call centre operator retained Super SA member data after the contract ended, and this data was accessed during the security breach. The breach primarily involved personal information (PI), such as names, addresses, and dates of birth. The government is investigating whether other agencies contracted with the same call centre were also affected.

Importance of timely response and improved internal security

The South Australian cyber security breach highlights the need for government agencies to enhance their internal security and response procedures.

Treasurer Mullighan stressed the importance of insulating government agencies against cyber-attacks and responding to incidents promptly and thoroughly. The response to the breach should prioritise protecting the sensitive data of affected individuals and preventing future incidents.

Establishing a robust third-party cyber risk management framework

To effectively manage third-party cyber risks, government agencies should implement the following best practices:

Performing a comprehensive data mapping exercise: Before building a robust third-party cyber risk management framework it is important for government agencies to understand the data they're storing, access to it and how it is protected. Most government agencies are unaware of the extent of data they're storing, where it's stored and who has access to it including third-parties. Performing a data mapping exercise will provide you with an overview of your data risk landscape.
Conduct comprehensive vendor assessments: Before engaging with a third-party service provider, government agencies should evaluate their cyber security capabilities and track record. Assessments should include the vendor's security controls, incident response procedures, and data protection measures.
Define clear contractual obligations: Government agencies should outline their expectations and requirements regarding cyber security in their contracts with third-party vendors. This includes specifying the handling and protection of sensitive data, incident reporting procedures, and liability for breaches.
Regularly monitor and audit vendors: Ongoing monitoring and auditing of third-party vendors is crucial to ensure compliance with contractual obligations and industry standards. Government agencies should conduct periodic assessments of their vendors' security controls, vulnerability management processes, and data protection practices.
Implement strong access controls: To prevent unauthorised access to sensitive data, government agencies should enforce strong access controls, including multi-factor authentication, role-based access controls, and regular access reviews.
Encrypt data in transit and at rest: Encryption is critical for protecting data from unauthorised access. Government agencies should ensure that sensitive data is encrypted both during transit and when stored, using transport layer security (TLS) protocols for data transmission and strong encryption algorithms for data storage.
Regularly patch and update systems: Outdated software and systems can create vulnerabilities for hackers to exploit. Government agencies should establish a robust patch management process to update and patch their systems, including third-party software and applications.
Conduct employee training and awareness programs: Employees play a significant role in maintaining cyber security. Government agencies should provide comprehensive training and awareness programs to educate staff about cyber threats, phishing attacks, and safe online practices, enabling them to recognise and report potential security incidents.
Establish an incident response plan: A well-defined incident response plan is essential to minimise the impact of security breaches. Government agencies should develop and regularly test incident response plans outlining steps to be taken during a cyber-attack, including key stakeholders' roles, communication protocols, and the recovery process.
Foster collaboration and information sharing: Government agencies should promote collaboration and information sharing among their peers to strengthen cyber security defences. Participation in information sharing initiatives, such as threat intelligence sharing programs, helps to stay updated on the latest cyber threats and best practices.
Regularly evaluate and improve the third-party risk management program: Continuous evaluation and improvement are essential for ensuring the effectiveness of third-party risk management programs. Government agencies should review their processes, controls, and technologies to identify areas for enhancement and implement necessary changes.

As cyber threats continue to evolve, government agencies must prioritise robust third-party cyber risk management practices to safeguard data and protect customers. By conducting thorough vendor assessments, defining clear contractual obligations, and regularly monitoring vendors, agencies can mitigate outsourcing risks. Implementing strong access controls, encrypting data, and regularly patching systems are crucial for maintaining a secure environment. Employee training, incident response planning, and collaboration with peers strengthen cyber resilience. By adopting these best practices, government agencies can stay ahead of cyber criminals and ensure the protection of sensitive data and customers' trust.

MinterEllison is a leader in cyber security, offering integrated legal, cyber risk, and technology consulting. This integrated capability enables us to advise and navigate our clients through the challenging and complex environment of your supply chain cyber risks. Should you or your organisation require any assistance with managing your supply chain cyber risks, please reach out to the MinterEllison National Cyber Security Consulting Practice.

Contact

Shannon Sedgwick

Partner, MinterEllison Consulting, Sydney
- +61 2 9921 4277
- +61 481 102 121

Trending

On the road: Australia’s privacy law overhaul begins

The most sweeping reforms to Australian privacy law in over twenty years