RSM UK says this latest attack highlights the growing risk to organisations as cyber criminals continue to target third-party service providers. Last week a third-party which holds data for millions of Ticketmaster and Santander customers was hacked by the ShinyHunters hacker group, which is now threatening to sell the data.

According to RSM UK’s latest The Real Economy findings, over half (58%) of middle market businesses have had a third-party service provider suffer a data breach or cyber-attack in the last 12 months. Over a quarter of businesses surveyed (26%) confirmed that this impacted their business either financially, reputationally, or operationally, up from 17% in 2022.

Alex Tait, regional managing partner and head of risk at RSM in Edinburgh, said: “Many businesses in sectors which are prevalent in Scotland such as hospitality and leisure, retail, and financial services have outsourced their IT service and data hosting provision, including cyber security.

“This shift in behaviour does not go unnoticed by fraudsters, who can see third-parties as a weak link in the security chain, which many are successfully exploiting.

“While outsourcing can bring the key expertise and skills a business needs, strengthen operational resilience, and scale-up quickly, it can also increase the risk of data security issues and regulatory compliance breaches.”

Stuart Leach, partner at RSM UK, added: “The increase in third party breaches highlights the need for formal and extensive technology and cyber due diligence when selecting a third-party supplier.

“This ensures the proper controls and cyber defences are in place to mitigate risk. These defences should be tested at least annually. Those who have contracted work out to third parties may be held liable for the consequences, and have their business interrupted for considerable time.

“The reputational damage and loss of trust from customers that a cyber-attack can cause may take years to rebuild.”

Businesses should focus on the following:

• Map their cyber footprint – this is everywhere a business’ data is, and potentially includes providers without active agreements.
• Understand their critical providers’ threat landscape and what the motivations of a cyber attacker might be.
• Assess the potential impact to their business if a critical third-party provider is breached.
• Assess their and their providers’ controls to manage cyber risk given the threat landscape.