MediSecure breach highlights need for third-party security

The recent health data breach linked to MediSecure has spotlighted the urgent necessity for enhanced third-party risk management practices in contemporary organisational settings. This breach, traced back to a third-party vendor, occurred just a week after the Australian Privacy Commissioner highlighted third-party vulnerabilities as a significant weak spot for organisations. More than a million Australians had their data compromised through various clubs in NSW and ACT.

The findings align with a recent report by the Office of the Australian Information Commissioner (OAIC), indicating a growing trend of data breaches stemming from third parties. Over the past six months, there have been 483 notifications of direct data breaches and 121 secondary breaches originating from third parties.

David Vohradsky, Cyber Security Practice Lead at Avocado Consulting, emphasises the need for organisations to reassess and enhance their procurement processes to mitigate such risks. He points out that procurement processes must factor in IT and security issues from the outset. In many cases, IT departments are excluded from business purchase decisions, leading to delayed risk management efforts. This is particularly concerning for organisations prioritising agility and autonomy over coordinated security measures.

"The latest third-party breaches underscore the urgent need for procurement processes to consider IT and security from the start. Often, IT departments are excluded from purchase decisions, leading to delayed risk mitigation. In organisations prioritising agility and autonomy, anyone can purchase low-cost but high-risk software-as-a-service subscriptions, bypassing established protocols and causing security breaches. Traditional procurement must shift to a model ensuring consistent security measures across all departments and processes," states Vohradsky.

Vohradsky suggests a tiered strategy in third-party risk management, incorporating both business value and IT/cyber risk considerations with regular reviews to assess financial and security risks effectively. He explains that integrating these elements ensures that spending advances business goals while maintaining a robust security posture.

Avocado Consulting advocates for a collaborative approach between IT and executive management to balance business needs with security requirements. Vohradsky elaborates, "A tiered strategy in third-party management necessitates collaboration between IT and executive management. This balance ensures effective, value-driven spending while considering technology fit and risk. Managing higher risk Tier 1 vendors monthly and reviewing both Tier 1 and Tier 2 vendors annually ensures regular evaluation of performance and alignment with strategic and security goals."

These breaches serve as a stark reminder of the vulnerabilities arising from inadequate third-party risk management. As organisations aim to stay agile and competitive, it is crucial to develop procurement strategies that integrate IT and security considerations from the beginning. Implementing such approaches will not only protect sensitive data but also support sustainable business growth.