Why your cybersecurity governance strategy must cover third-party risks

Your business relies on an ecosystem of third-party organisations to meet various requirements, from manufacturing to internal IT processes. You would likely struggle to survive without these partnerships; smaller businesses often do not have the resources to bring some functions in-house, and third-party suppliers greatly contribute to the business’ success. Even for larger organisations, bringing entire functions in-house, like manufacturing, simply does not make sense when you can have another company handle that aspect of your operations.

However, these organisations may have access to some of your sensitive data. Every transaction, piece of information, or communication that connects your businesses becomes something a threat actor might exploit, ranging from ransomware to targeted attacks on your invoicing and payment systems. Recognising and mitigating these vulnerabilities becomes essential to strengthening your cyber security posture.

Who are your third parties?

Third parties include any business or person connected with your organisation. These might be suppliers, manufacturers, service providers, and partners – to name a few. Any Software as a Service (SaaS) company whose software you leverage also counts as a third party because they store some of your information and communications.

Due to their connection with your business, third parties can access some of your sensitive data. They might have access to customer records, systems, or internal data about your employees and business. Therefore, every third party associated with your company becomes a potential cyber security risk. 

In an example from 2017, a threat actor dubbed ‘APT Alf’ by the Australian Signals Directorate (ASD) gained access to and stole sensitive defence documents by exploiting vulnerabilities in an Australian firm that subcontracted for defence agencies locally and in the US.

Why incorporate third-party risk management?

You cannot avoid engaging with third parties, so you need a strategy for mitigating the risks to your business. If a threat actor infiltrates a third party, they could find a path into your business, resulting in a data breach or cyber attack. For this reason, including third-party risk management in your cyber security governance strategy is ideal for the following reasons:

  • Gain a precise risk profile of your enterprise by enhancing visibility into the security practices of your third-party suppliers.
  • Reduce costs associated with a data breach, including what you might have lost and any recovery costs.
  • Improve compliance with cyber security regulations by reducing the risk of third-party suppliers leaking customer data.

That last point is particularly pertinent. Even if your company has implemented strong cyber security controls, a breach via a third party that exposes customer information could see your business receive penalties and fines because you did not complete your due diligence.

What’s involved with managing third-party risks?

Managing third-party risks requires a proactive approach to assess and mitigate the cyber security threats external vendors pose. A few key measures include:

  • Vendor management policies: You must define the minimum level of risk you are willing to accept when benchmarking third-party organisations. Before starting any partnership, your third-party vendors must meet your predetermined criteria. 
  • Security questionnaires: A cyber security questionnaire assesses third-party suppliers’ security practices and protocols. You can gauge the supplier’s cyber risk posture using detailed questions, ensuring they meet the required security benchmarks.
  • Security ratings: Security ratings provide a quantifiable measure of a third-party supplier’s cyber risk based on various data points. They offer your organisation a quick insight into the supplier’s cyber health, allowing you to make informed decisions about potential partnerships.

It’s important to note that these processes come with challenges. The evaluation process can be resource-intensive and lengthy. You also cannot verify the claims made by your third-party suppliers, so you are still accepting some risk when working with them.


You cannot avoid relying on third-party organisations, but you can focus on working with companies that prioritise cyber security and meet your minimum requirements. Implementing assessment methods, setting clear security benchmarks, and remaining vigilant about the evolving threat landscape all contribute to strengthening your cyber security posture. By incorporating third-party risk management into your governance strategy, you can better protect your organisation’s data and reputation.

Mercury can guide your cyber security governance strategy

Good cyber security governance goes beyond managing risks; it is about aligning your security measures with core business objectives, ensuring compliance, and building a framework that fosters accountability, transparency, and resilience against cyber threats. 

We offer expertise in building governance frameworks, policies, and strategies uniquely tailored to your organisation. Visit our Governance Services page for more.

Related blogs

Security Architecture, Governance & Engineering (SAGE): A look into our approach to cyber security

Navigating IRAP Assessments: When they make sense and when they don’t

Optimising cloud security: How to strike a balance between cloud performance and cost

We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.