Cybersecurity practices for working with external service providers
As a SME in Aotearoa, it’s likely you rely on specialist service providers — like payroll administrators, bookkeepers, HR professionals, and IT professionals like us — to manage key functions, rather than hiring full-time, in-house staff. This approach offers you flexibility, access to expert knowledge and can help you focus on what you do best — running your business. However, granting these external partners or contractors access to your systems can open your business up to potential risks if not managed carefully.
According to CERT NZ’s Q1 Cyber Security Insights report, while there was a decrease in the number of security breaches reported, there was still $6.6million reported in direct financial loss reported for Q1 alone. The top three breaches: phishing and credential harvesting, scams and fraud and unauthorised access.
You might have worked hard to secure your own systems and educate your own team, but what about the service providers who have access to your data, too? The more people who have access to sensitive information, the more potential entry points there are for cyber threats. This doesn’t mean you shouldn’t work with external providers—it just means you need to be cautious. Here are some simple steps to help ensure your business remains secure while working with your partners.
Choose your partners wisely
Before you bring anyone on board, ask about their security practices. Do they have their own cybersecurity policy? How do they protect their own systems and, by extension, yours? If they can’t give you clear answers (or are not open to remedying gaps), it might be worth considering another provider.
Implement access controls
You don’t need to give external providers full access to your entire system. Instead, implement access controls that limit their access to only the information they need to do their job. For example, your payroll administrator might only need access to financial data, not your entire customer database. By restricting access, you reduce the risk of a potential breach.
Use strong passwords and multi-factor authentication (MFA)
It might sound obvious, but strong passwords are your first line of defence. Ensure every user has their own username (login) and password for any accounts they need to access, with no shared accounts. Recommend that your external providers use strong, unique passwords for accessing your systems, and implement multi-factor authentication (MFA). This adds an extra layer of security by requiring users to provide two or more verification factors to gain access.
Regularly review access permissions
Access needs change over time. A provider might require access to certain systems at the beginning of your working engagement, but that might change as time goes on. Make it a habit to regularly review who has access to what. If a provider no longer needs access to certain data or systems, revoke it immediately.
Secure data transfers
Transfer sensitive information securely via encryption. Encryption ensures that even if data is intercepted, it can’t be read without the proper decryption key. Many email services offer encryption, and there are also secure file-sharing platforms that can be used for this purpose.
Regularly update software
Cyber threats are constantly evolving, and software providers are always releasing updates to patch vulnerabilities. Ensure that both your business and your external providers regularly update all software, including antivirus programs, firewalls, and operating systems. These updates are crucial for staying ahead of potential threats.
Develop an incident response plan
Even with the best precautions, breaches can happen. That’s why it’s essential to have an incident response plan in place. This plan should outline what steps to take if there’s a security breach, who to contact, and how to minimise damage. Make sure your contractors are aware of this plan and know their role in it.
Improve cyber resilience with Onwardly
We’ve partnered with Onwardly, a platform that makes it easier for even non-tech-minded business owners to feel confidence and peace of mind around their cyber resilience. Onwardly enables you to conduct your own risk assessments, establish an implementation plan and receive reports to help you remedy gaps and improve security performance.
Train your team
Ensure that your internal team is aware of the cybersecurity risks associated with working with external providers. Remember, cybersecurity is a shared responsibility—not just your IT service provider’s. Offer training on best practices, such as recognising phishing attempts and understanding the importance of secure passwords. Incorporating platforms like SafeStack can provide targeted, continuous education to keep your team up to date on the latest threats and defensive techniques. Education is a crucial part of your defence strategy.
And finally, ask for some help! If you’re conscious that your business could be doing more to stay secure, but you’re not sure where to start, get in touch and we can tell you more about our strategy and support options.