Date posted: 10/12/2021 5 min read

How to manage the security risks of third-party software

You can outsource some cybersecurity responsibility to third-party providers, but not accountability. Brought to you by Aon.

Just because a third-party software provider holds your client data, that doesn’t automatically mean it’s safe. Lucas Roe, Aon’s Managing Principal, Security Advisory and Architecture, explains key risk management techniques.

Q: Is it safe for accounting businesses to use third-party providers to hold client data?

This depends, as organisations often have a false sense of security by looking at the output or reporting of the tools sold to them by vendors when they haven’t completed their own assurance exercises. Organisations should therefore validate that their providers do what they say they do. Trust but validate.

Q: What’s the first step in risk management?

You have to understand the information assets you have and the ways that they are accessed and used, because there are trade-offs. It’s smart to create a cybersecurity management framework based on the different kinds of data you handle that defines appropriate control objectives to mitigate risk. This assists greatly with prioritisation. You wouldn’t spend $10 protecting a $1 asset, but you would consider spending $1 to protect $10.

“You wouldn’t spend $10 protecting a $1 asset, but you would consider spending $1 to protect $10.”
Lucas Roe, Aon

In an accounting business, you likely have sensitive client data (financial records, for example) and less sensitive data (colleague and client messaging). When it comes to the former, your framework might provide that this data can only be entered or accessed through vetted software, on certain devices, by privileged users, with rigorous credential management. For the latter, you might be more flexible.

However, it does get tricky. Casual communications can be exploited by attackers, and there is always the potential that someone will accidentally put sensitive data into them

Q: Are there any cybersecurity ‘must haves’?

Six years ago, the Australian Signals Directorate observed that using its ‘Top Four’ mitigation strategies (application whitelisting, patching applications, patching operations systems, and minimising administrative privileges) would have prevented 85% of cyber intrusions seen across the country (they have since updated these into the 'Essential Eight’)*. This indicates of the power of ‘doing the basics’, maintaining cyber hygiene and consistently assessing your position.

Q: How does insurance fit into risk management?

Organisations are shifting to a ‘zero trust’ approach that assumes security compromises. By assuming your preventive controls will break down, you put more realistic focus on your response and recovery controls (such as funding for a cyber incident team and data backups).

Returning to the framework, if you know what data you have and you’ve got the right controls, you’re more effectively managing your risk. But even if you’re 75% protected, what do you do with the last 25% – how do you transfer that risk?

At Aon, we take a risk-based approach to cyber insurance and find clients appropriate policy and level limits to help make sure balance sheets are as protected as possible

© 2021 Aon Risk Services Australia Limited ABN 17 000 434 720 AFSL 241141 (Aon). Aon has taken care in the production of this document and the information contained in it has been obtained from sources that Aon believes to be reliable. Aon does not make any representation as to the accuracy of the information received from third parties and is unable to accept liability for any loss incurred by anyone who relies on it. The recipient of this document is responsible for their use of it.

Find out more:

Aon is the Australian general insurance partner of the CA ANZ Member Benefits Program and provides exclusive benefits to CA ANZ members. To find out more and get a quote, go to

Search related topics