Ministry of Defence data breach: Third-party vulnerability opens door to significant cyber breach

07 May 2024

Today’s reported cyber-attack on the Ministry of Defence (MoD) clearly demonstrates the growing risk for large organisations and businesses as cyber criminals continue to target third-party service providers, says RSM UK.

According to RSM UK’s latest The Real Economy findings, over half (58%) of middle market businesses have had a third-party service provider suffer a data breach or cyber-attack in the last 12 months. Over a quarter of businesses surveyed (26%) confirmed that this impacted their business either financially, reputationally, or operationally, up from 17% in 2022.

A payroll system used by the MoD and managed by an external contractor, which includes names and bank details of armed forces personnel, was hacked in recent days.

Sheila Pancholi, partner at RSM UK, said: 'As the technology landscape evolves, many businesses and organisations have outsourced their IT service provision, including cyber security. This shift in behaviour does not go unnoticed by fraudsters, who can see third-parties as a weak link in the security chain, which many are successfully exploiting. While outsourcing can bring the key expertise and skills a business needs, strengthen operational resilience, and scale-up quickly, it can also increase the risk of data security issues and regulatory compliance breaches.'

The increased use of AI in cyber-attacks means that the entry barrier to cybercrime has been lowered. It is now often committed on an industrial scale, using carefully coordinated, sophisticated and far-reaching techniques, so it’s vital that businesses have confidence, not just in their own systems, but also their outsourced suppliers too.

Stuart Leach, partner at RSM UK added: 'The increase in third party breaches highlights the need for formal and extensive technology and cyber due diligence when selecting a third-party supplier. This ensures the proper controls and cyber defences are in place to mitigate risk. These defences should be tested annually as a minimum. Those who have contracted work out to third parties may be held liable for the consequences, and have their business interrupted for considerable time. The reputational damage and loss of trust from customers that a cyber-attack can cause may take years to rebuild.'