The Value of Big-Picture Partner in Third Party Cyber Risk Management

Just about every organisation relies on a complex network of technology partners. Access control systems, CCTV, nurse call platforms and building management systems generally all come from specialist vendors who install, run, and maintain them to some level.

Each of these systems are essential to effectively deliver your operational services.

Many of these systems quietly connect to your core network. Who is responsible (and more importantly, accountable) for their compliance with security standards? And if they are not being managed appropriately, what are the implications and planned actions?

This is not a risk to be ignored - without the right cyber discipline, these systems are gateways to data breaches and persistent threat actors.

Recently, a number of our clients have faced problems with third-party providers failing to (or actively resisting!) follow basic operational technology (OT) cyber practices.

The challenge often begins with something small: a contractor who insists their device must stay on an outdated firmware version, a local vendor who "requires" open remote access without security controls (we often hear that "emergencies happen and timeliness of response is critical" - but this should never be at the expense of Cyber controls!).

These moments seem minor but can rapidly create tension between the organisation, the vendor, and the IT partner/team responsible/accountable for keeping systems secure.

How security = friction

Unfortunately, this is a pattern we see often. Our teams apply strict OT cybersecurity controls to protect clients’ infrastructure (even when it is not a direct component of our remit).

Not every vendor shares the same standards. Some third parties don’t understand the required practices. Others dismiss them as unnecessary, inconvenient, or simply "don't care" as they are just here to "do their job" and get out as quickly as possible.

When this happens, friction occurs. Clients find themselves caught in the middle, unsure whom to trust. The third party claims that security measures block their system’s functionality, whereas the IT/cyber partner insists those same controls prevent breaches and downtime.

Without clear understanding (and Organisational policy guidance), clients are left to choose between security and convenience.

That’s when risk starts escalating.

Why unmanaged systems amplify threats

Every third-party device, system, application or contractor that connects to, or uses, your network expands your attack surface and the risk profile that your data is exposed to.

When these systems are not reviewed and integrated through a security-first lens, you are silently facing one or more of the following:

• unmanaged access pathways such as direct VPN tunnels, open ports or gateways with uncontrolled credentials and governance;
• vulnerable firmware or software versions that have known and available exploits
• Limited or no device, access or log monitoring, allowing issues to go undetected until damage is done
• bypass of security architectures like network segmentation (through VLAN's) or zero-trust frameworks
• accountability gaps (When no one owns the risk, then it becomes yours risk!)

In environments where patient care, physical safety, or operational reliability matter, these risks are unacceptable and generally not known!

A single misconfigured, or unpatched system can expose confidential data or disrupt essential services silently, quickly and without recourse.

Consequences are Real

Imagine a third-party nurse call vendor insisting on remote access to troubleshoot faults - perfectly reasonable request that on the surface should be approved without question (Nursecall is an essential service and needs to just work).

What is not clear (or perhaps not known by the vendor) is that the required remote access system relies on an outdated, weak authentication mechanism with no ability for oversight, audit or update and there are exploits known to exist.

You now face a wicked choice - impact the responsiveness of Nursecall support, or place your organisational data (and systems) at risk.

Navigating these situations is not trivial.  Building a secure, scalable network that supports these competing requirements is possible.  Understanding that you will face these choices is fundamental.

A good IT/Cyber partner won't tell you which choice to make - but they will explain the risks and alternatives that you have available.  And if they don't - we can!

In similar ways, unsegmented CCTV systems, access control/alarms or building management controls expose sensitive networks. Time and again, security incidents trace back not to malicious intent but to unmanaged third-party technology that did not follow secure-by-design practices.

The big picture

The core issue isn’t just technology, it’s about perspective, understanding and long-term thinking.

Vendors focus on making their particular system function. A reliable technology partner will look beyond that narrow view. They see how each piece interacts with your broader infrastructure, what risks it adds, and how to mitigate them without reducing functionality.

A big-picture partner doesn’t just “fix IT issues.” They safeguard the entire ecosystem - physical, digital, and operational.

This approach recognises that even small devices and external vendors influence resilience, compliance, and business continuity.

Holistic technology partners

Choose a partner that understands both IT and OT landscapes - the choice will deliver measurable advantages:

1. Reduced cyber risk. Your partner ensures every third-party integration meets security baselines and aligns with your organisation’s policies.
2. Improved reliability. Consistent configuration and monitoring reduce downtime caused by conflicting systems.
3. Faster response. Clear accountability means faster action when faults or threats occur.
4. Compliance confidence. Security practices align with standards such as ISO 27001 and Essential Eight, demonstrating due diligence.
5. Simplified decision-making. You get unified advice that balances performance, risk, and budget.

This holistic oversight turns technology from a potential liability into a dependable enabler for your operations.

Aligning everyone on the same standard

The next step is making these principles practical. Every organisation can take simple, structured actions to align third-party systems with strong OT cybersecurity.

Here are our five basic steps to properly protect your OT systems - both from Internet and IT threats:

1. Maintain a central register of all external systems connected to your network.
2. Require all vendors to agree to and follow your security & network infrastructure policies before connecting new devices (ideally, make sure this is done before they submit a quote for work).
3. Use your technology partner to assess risks BEFORE any installation or change when there is still time to adjust course
4. Segment OT networks from core business and clinical networks - if access is needed, use a custom firewall ruleset within known endpoint definitions
5. Establish joint response plans between IT, facilities, and external providers that define roles, responsibilities and reporting structures for ANY breach or changes situation

In all cases, communication is key. When a vendor pushes back on a security measure, your partner can explain the reasoning in plain terms to reduce confusion and maintain trust.

Collaboration, not confrontation

The best outcomes come from collaboration. A strong technology partner helps vendors understand the “why” behind each control. They offer practical alternatives when strict security rules seem to conflict with operational needs. This proactive engagement prevents breakdowns and helps everyone stay focused on shared goals: safety, reliability, and performance.

Rather than playing referee between teams, your partner becomes an interpreter who bridges the gap between operational requirements and cybersecurity discipline.

The trust factor

Ultimately, organisations need a partner they can trust to protect their environment beyond the visible layers. That trust is earned through experience, clear communication, and a genuine commitment to outcomes, not shortcuts.

At Microsolve, our role is to connect the dots between IT and OT, between immediate tasks and long-term resilience. When third-party systems intersect with critical operations, our goal is simple: keep your organisation running securely and efficiently, now and in the future.