supply chain

Entertainment Cybersecurity Series: Third Party Risks

Share this post:

This is the fourth installment of a 5-Part entertainment cybersecurity series dealing with the industry. You can find the first three installments here:

  1. Remote Work Cybersecurity Issues
  2. Data Breach and Content Leaking Cybersecurity Issues
  3. Ransomware Cybersecurity Issues

As the cybersecurity series this summer continues, the fourth topic is third-party vendor risks. As I am sure you are aware, the benefits of these vendors are vast, but as are supply chain risks.

The Popularity of Third-Party Vendors

When outsourcing services to third-party vendors or service providers, entertainment businesses open themselves up to additional risks with such relationships. A third party or supply chain vendor is an entity that provides a product or service directly to you or your customers and/or an entity critical to maintaining your daily operations. Third parties can include partners, consultants, vendors, or suppliers.

supply chain management

It is quite usual for entertainment businesses to rely on third-party vendors for both services and products. Destination management teams, communication consultants, photography and videography, technical support, ticketing support, marketing, DJs, decorators, catering, sound teams, light teams are only some of the examples of vendors often hired in live entertainment. The outsourcing of certain activities and services to external providers cuts down on costs and increases productivity, but it also brings a new range of issues, particularly related to cybersecurity.

While there are other types of risks associated with third-party vendors, this article is about those third-party vendors that are related to your intellectual property and IT infrastructure, i.e., those that have a cyber risk profile. Examples include IT companies, software vendors, plug-ins to websites, SaaS products, to name a few. Networks and the data on them have been breached or data leaked through acts of third-party vendors or when their products are compromised. A major example was the SolarWinds breach caused by a compromised server software used around the world by many organizations.

Cybersecurity is a Necessity for Entertainment Businesses

70% of music industry IT leaders have dealt with cyber security issues due to vulnerabilities caused by third party vendors. As mentioned in a previous TSE article dealing with risks with live events in the entertainment industry, data breaches are a very significant threat. The interconnected nature of supply chains and data/information networks means that the security practices of third-party vendors can significantly impact the overall cybersecurity of an organization hiring these contractors.

In this  article, we will examine the complex relationships between the cybersecurity risks faced with third-party vendors, highlighting some of the different ways 3rd party vendors can threaten an organization’s data/information security and integrity. Organizations can improve their cyber resilience by recognizing these risks as well as implementing efficient strategies for minimizing them.

Strong Dependency: Vulnerabilities

Third party vendors have a large potential impact on business cybersecurity. To support their operations efficiently, live entertainment firms depend greatly on third-party vendors. While there are obvious advantages to this kind of partnership model, organizations must address the associated significant cyber security threats in order to protect proprietary information and systems.

Supply Chain Vulnerability Can be a Significant Threat

One type of vulnerability we will address is supply chain vulnerability. One of the key impacts of third-party vendors on cybersecurity is the exposure to supply chain vulnerabilities A supply chain is made up of the people, processes, and technologies that move goods and services from one group to another. This includes third-party organizations that develop components for products and software, as well as third-party libraries and code used in internally developed software.

Entertainment businesses rely more than ever on third-party vendors for various services, such as payment processing, cloud and infrastructure engineering, API integrations, customer support, and marketing services and applications. More of these third parties have access to sensitive customer data, and they have become an increasing target for cybercriminals.

In turn, this creates dependencies. These dependencies increase the attack surface for cybercriminals. An attack surface is the group of all entry points an attacker can use to control or extract information flow. These include vulnerabilities in hardware components such as laptops, phones, and desktops, as well as in software code and applications.

According to research from independent analyst firm Forrester, “Forrester data reveals that 55% of security pros reported their organization experienced an incident or breach involving supply chain or third-party providers in the past 12 months.”

Cybercriminals can exploit weaknesses in one vendor’s system to affect and infiltrate the entire supply chain of that vendor. A breach or compromise at any point in the supply chain can have a snowball effect, in turn compromising the security of a variety of other connected businesses.

There are numerous examples of third-party data breaches that affected major brands, including Ticketmaster, AT&T, Chick-fil-A, LinkedIn, T-Mobile, Uber, Dollar Tree, and many others. If these major corporations can’t prevent third-party threats, you can imagine how vulnerable smaller entertainment organizations are to such threats.

Data/Information Vulnerability

Close to 70 percent of music industry leaders list a third party vendor related data breach as their primary concern in one study. The cybersecurity impact due to use of third party vendors is a higher possibility of data or information leakage or breaches. Many third-party entertainment vendors handle sensitive information or data for their clients, and this increases the potential for a data/information leak.

Data/information breaches involving third-party vendors can lead to sensitive information being exposed across the Internet, funds being lost or stolen, as well as reputational damage and legal consequences for the organizations that encounter them. These consequences underscore the importance of strict security measures and oversight when using third-party vendors.

Regulatory Compliance Vulnerabilities

Regulatory compliance challenges are important to consider as well. Like other industries, live entertainment is governed by laws as well as privacy regulations which ensure secure handling of private data. Whenever entertainment companies contract with external providers, they also entrust them with these regulatory obligations. Failure by these suppliers to adhere to regulatory requirements can result in both legal action and penalties as well as reputational damage for the involved organization. It is the critical responsibility of the organization hiring third-party contractors to perform sufficient due-diligence before hiring them and preform ongoing monitoring of them after they are hired.

Reducing Third Party Entertainment Cybersecurity Risks

In live entertainment, managing risks from third-party suppliers is vital, despite how much of an effort it involves. In a 2022 report from Ponemon Institute it was reported that 55% of organizations, across all industries, stated that managing third parties was overwhelming and a drain on resources.

Despite the drain on resources, proactive steps are necessary to address potential vulnerabilities that come with third-party vendors. Below are ways to effectively handle risks posed by third party vendors:

  1. Conduct a Vendor Risk Assessment

TSE Entertainment | Entertainment Cybersecurity Series: Third Party RisksConducting a thorough vendor risk assessment is the first step towards understanding and managing the potential risks associated with third-party vendors. This assessment should assess the security practices and controls implemented by the vendor, as well as their ability to protect sensitive data/information. By identifying and assessing potential risks early on, organizations can make informed decisions about engaging with specific vendors.

  1. Clearly Detail Contractual Obligations and Security Standards

Establishing clear contractual obligations and security standards is essential. This way, one can hold third-party vendors accountable for maintaining entertainment cybersecurity best practices. Entertainment organizations should work with vendors to define security requirements, data/information protection protocols, incident response procedures, and compliance standards. By incorporating these requirements into vendor contracts, organizations can ensure that vendors uphold the necessary security measures.

  1. Carry Out Data Driven Monitoring and Auditing Practices

 

data-driven monitoring

 

Only about 35% of music industry businesses use data analytics to create a cyber defense. Continuous data driven monitoring and auditing of third-party vendors are essential components of an effective vendor risk management strategy. Organizations should regularly assess vendor performance against security standards, conduct periodic security audits, and monitor vendor activities for any signs of potential security incidents.

By maintaining ongoing analytical oversight of vendor relationships, organizations can quickly identify and address any emerging security threats. It is essential to implement a policy requiring entertainment industry leadership to conduct timely and regular audits of third-party vendors. Cybersecurity, third-party vendors, and other IT vulnerabilities must regularly be audited in a timely manner. Third-party verification, reviews, and audits must be done at a minimum annually, as well as when information comes to light that warrants auditing.

Takeaways to Third-Party Entertainment Cybersecurity Preventive Measures

Implementing these measures for managing third party vendor risks will improve the overall cybersecurity of your company, as well as minimize third party risks. Following these suggestions will help your live entertainment company build trust with your suppliers, protect sensitive data/information, and safeguard against potential cyber threats

Internal Suggestions for Minimizing Third-Party Cybersecurity Risks

Of course there are also internal best practices for vendor security. To further reduce the risks related to third-party vendors and strengthen cybersecurity, do the following:

Implement Strong Internal Cybersecurity Policies

An initial step towards improving third-party vendor security is to define clear IT internal policies and procedures for your staff. These internal policies should govern the engagement and management of external partnerships. These policies must cover issues like expectations about how sensitive information is handled, employee access rights, breach or leak incident response measures, as well as guidelines on meeting required rules and regulations. It is important that your live entertainment organizations explain clearly to each employee which tasks belong to vendors and which tasks belong to them.

Staff Training Program on Cybersecurity

cybersecurity trainingA training program focusing on raising awareness of cybersecurity is recommended as well. Educating internal stakeholders and employees about third party vendor cybersecurity practices fosters a culture of physical and digital safety. Employees must understand that internal digital risk and third-party risk are often one and the same. Technology, data, and information applications continually pass among employees, hardware and application suppliers, and services vendors and contractors.

When utilizing third-party vendors, staff training should include; how to qualify potential vendors using background checks, policies and procedures related to risk mitigation, as well as monitoring for risks. The above training will enable employees to use cybersecurity risk-reducing efforts in their daily work.

Data Protection

data protectionImplementing encryption and data/information protection measures is important as well. Your IT team or IT contractor should help encrypt and protect sensitive data and information stored by your company. Encryption scrambles data such that only individuals who have prior authorization are able to “unscramble” or view the data. Encryption plays a vital role in safeguarding sensitive data as it travels between systems, including when the information travels to and from third party vendors.

Given that live entertainment companies often deal with celebrities and highly valued information, organizations in the live entertainment business should mandate the use of encryption for transmitted data and when it is stored, especially when shared with third-party vendors.

Additionally, implementing data/information protection measures such as access controls, multi-factor authentication, and regular data/information backups can further strengthen the security of information shared with external partners.

In Conclusion

By using these best practices for enhancing third-party vendor security, organizations can strengthen their overall cybersecurity and better protect against the evolving threats posed by supply chain vulnerabilities. Proactive third-party risk policies and management along with a company commitment to IT security excellence are essential components of a strong cybersecurity strategy.

In summary, the business of live entertainment involves using various third-party information technology vendors. It is of utmost importance to address third party vendor risks, particularly for cyber security purposes when using such vendors or contractors. If the relationship with third party IT vendors is carried out carelessly, your business may be experience supply chain vulnerabilities, information leaks, data breach incidents, and regulatory compliance challenges that pose serious threats to your organizations irrespective of its size.

To effectively manage third-party vendor cybersecurity risks, entertainment organizations must implement a comprehensive approach to cyber security including vendor risk assessments, contractual obligations and security standards, and continuous monitoring and auditing practices. Live entertainment companies and businesses can achieve better overall cybersecurity by being proactive and determining and mitigating potential weaknesses in their supplier ecosystem.

Moreover, adopting strong internal cybersecurity practices is also incredibly helpful in preventing adverse incidents. Clear data policies and procedures, regular training programs for employees that promote awareness on information security issues, and strong encryption technologies/information protection measures can strengthen cyber defenses in general. Cybersecurity involves collaboration between entertainment organizations and their third-party vendors.  However, the responsibility and liability for data loss often lies with the organization hiring third-party vendors. It’s in the best interest of live entertainment businesses to prioritize security measures, and mitigate risks associated with third party suppliers.

 

Sources:

https://csrc.nist.gov/glossary/term/supply_chain_risk

https://www.prevalent.net/blog/third-party-risk-management-study-2022/

https://www.ciso.inc/blog-posts/cybersecurity-risks-and-vulnerabilities-with-third-party-vendors/#:~:text=Impacts%20IT%20Infrastructure%3A%20If%20threat,loss%2C%20and%20disruptions%20to%20operations.

https://www.forbes.com/sites/forbestechcouncil/2023/11/17/three-questions-to-ask-third-party-vendors-about-cybersecurity-risk/

https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/enterprise-cybersecurity-aligning-third-parties-and-supply-chains

Predictions 2022: Cybersecurity, Risk and Privacy, Forrester Research, Inc., Oct. 28, 2021

Ponemon Institute and Shared Assessments survey: https://sharedassessments.org/wp-content/uploads/2019/11/Third-Party-Risk-Management-Benchmarking-Study-Final-Report.pdf

 

 


Related Articles:

Entertainment Cybersecurity Series: Ransomware
Entertainment Cybersecurity Series: Data Breach and Content Leaking
Entertainment Cybersecurity Series: Remote Work

About the author(s)

  • TSE Entertainment | Entertainment Cybersecurity Series: Third Party Risks

    Saee Patil

    Saee is a graduate student studying cybersecurity policy remotely with Brown University. Previously, she was an undergraduate student at Cornell. She is currently located in Miami, and is surrounded by the Miami musical scene! She loves running into musicians, rappers, and various other entertainers in the industry. Saee is interested in the marriage of technology and music; the emerging market consisting of AI generated music, auditory augmented reality, and virtual reality concerts piques her curiosity. She is looking forward to gaining experience this summer writing articles on cybersecurity as it pertains to the live music industry!

Share this post: