A third-party data breach happens when your vendor or business partner’s computer system is compromised and exposes your sensitive data. Any vendor in your business ecosystem is vulnerable to attacks by cybercriminals, and industry experts estimate that about 60 percent of all data breaches happen via third-party vendors.
IBM and the Ponemon Institute report that, on average, a company takes 280 days to detect a third-party data breach. Why so long? One reason is that cybercriminals have become much better at operating in stealth mode once they get inside your computer system.
Another, more sinister explanation is that some third-party vendors may attempt to hide a data breach from clients, perhaps because the vendor lacked security controls that could have discovered the breach earlier.
Either way, the consequences and cost of recovering from a breach can be detrimental to your business and your bottom line. For example, some industry reports state that the average recovery and remediation cost at more than $7 million. Big targets include credit card companies, email service providers, and cloud service providers.
Examples of third-party security breaches
Despite being an essential business component, third-party suppliers, partners, and vendors are also prime targets for cybercriminals. Third-party data breaches can have terrible repercussions for everyone, not just the victim business.
Here are a few instances of third-party violations from 2021 that stood out.
- Customers of Click Studios’ business password manager Passwordstate received a breach notification in April after hackers used the app’s update mechanism to spread malware to users. It was unclear how many of the nearly 370,000 security and IT professionals who use Passwordstate at 29,000 organizations worldwide had been impacted by the incident. Click Studios instructed customers that upgraded their clients during the hack to change every password in the Passwordstate database.
- The Cancer Centers of Southwest Oklahoma’s third-party cloud storage provider, Elekta, identified odd behavior on its network early this year. It found that 8,000 cancer patients’ sensitive health information was accessed without authorization. As a result, names, Social Security numbers, locations, birthdays, and information about medical diagnoses and treatments were disclosed.
- Late last year, hackers exposed confidential data, including Social Security numbers and financial information, by exploiting flaws in Accellion’s File Transfer Appliance, which transfers big and sensitive files inside a network.
- The Saudi Arabian Oil Company, known as Saudi Aramco, had one terabyte of data stolen, which included details about its personnel, customers, sites, reports, and project papers. Aramco had the chance to have the data deleted for $50 million; otherwise, the data was up for sale on the dark web for $5 million. Saudi Aramco claims that a flaw at a third party caused the intrusion.
How Many Breaches Are Caused by Third Parties?
The Ponemon Institute published research in 2021 titled “A Crisis in Third-party Remote Access Security” that exposes a disconnect between an organization’s perception of the threat posed by third-party access security and the defenses it implements.
Researchers discovered that by failing to take measures to lower the likelihood of data breach via third parties, firms are exposing their networks to non-compliance and security concerns.
Researchers at the Ponemon Institute discovered that throughout the previous 12 months, security breaches had occurred in nearly half (44%) of the firms. Three-quarters (74%) of those organizations claimed that the breach happened because third parties were granted excessive privileged access to too much confidential information.
Researchers discovered that firms do not perform the required security measures before granting third parties access to their data. About half (51%) of firms said they did not thoroughly vet each third party’s security and privacy procedures before allowing them access to sensitive and personal data.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, stated that granting remote access to third parties without implementing the necessary security precautions “is practically assuring a security event and a data breach involving sensitive and personal information.”
It’s crucial for businesses to evaluate the security and privacy policies of the outside parties that have access to their networks and to ensure they only have the access necessary to carry out their assigned duties.
Other significant results included that 65% of firms have not identified the third parties that have access to their most sensitive data, and 54% of organizations do not have a complete list of all the third parties who have access to their network.
Common Data Breaches Caused by Third-Party Vendors
Phishing and ransomware attacks have been spiking – especially during the COVID pandemic, which sent many employees to work from home using virtual private network (VPN) connections that perform at various levels of security. Phishing and ransomware are standard cybercrime tools that may lead to the following types of data breaches:
- Unauthorized access via a company email account. That happened to General Electric when it experienced a breach that exposed personal data such as marriage certificates, passports, driver’s licenses, and tax withholding forms.
- Hacking of an email provider. T-Mobile experienced this when it lost control over customer information for about 1 million of its clients.
- Lack of encryption. Health Share of Oregon, which coordinates care for Medicaid clients in the state of Oregon, had an unencrypted laptop stolen and exposed the personal information of over 650,000 clients.
- Unsecure websites and improperly stored login information. A website bug allowed access to thousands of passwords and usernames for an Instagram account via the third-party Social Captain.
These breaches are bad enough on their own. But, even worse, the sensitive information lifted by cybercriminals was already available for sale on the dark web by the time they were discovered. From there, even more scams are perpetrated on unsuspecting customers and clients whose phone numbers and addresses have been exposed.
Preventing Third-Party Vendor Data Breaches and Holding Vendors Accountable
It can be difficult for a business to hold third-party vendors accountable, especially if you don’t have a third-party security policy or program. Ideally, any third-party vendor should enforce the same rigid standards and data security controls that your own company imposes internally.
So how do organizations best prevent third-party vendor data breaches? It all begins with a robust and responsive vendor risk management policy, which can be divided into four action areas.
Audit Third-Party Vendors for Compliance
Discuss risk management requirements with vendors upfront, before onboarding. Some third-party vendors are not open to being audited by partners. If your third-party vendor is resistant to answering simple questionnaires as part of your due diligence during onboarding, you will most likely experience even more resistance to an audit.
Up-to-date data protection measures are central to a good third-party relationship, and an audit is the only way to see what’s happening. A third-party risk assessment and audit evaluate how the organization executes against its security compliance framework and performance in previous audits. Look for indicators of compromise and how well the vendor assesses cybersecurity risk.
Require Proof of the Third-Party Vendor’s Cybersecurity Program
Proving that the third-party vendor has an information security program is only half the battle over third-party breaches. The third-party vendor should be able to illustrate that it takes risk management seriously and actively dedicates resources to its vulnerability management program.
Ask for the most recent results from internal risk assessments, penetration testing, and compliance frameworks. The third-party organization must have a robust risk management program, a supply chain risk mitigation strategy, and plans for how to remediate a potential data breach.
Ongoing third-party risk monitoring gives you continuous insights into their cybersecurity program. Hold quarterly reviews to evaluate your vendor’s performance metrics and security posture.
Adopt a Least-Privileged Model for Data Access
Many third-party data breaches have one thing in common: the third party was provided with more access than necessary to do the job it had been contracted to do. Holding third-party service providers to strict least-privileged access standards will improve your network security significantly.
Be careful with sensitive data, such as Social Security numbers or other personal information. Least-privileged access is the cornerstone of managing vendor risk. A breach will do minor damage when the third-party vendor’s access is restricted to the lowest possible access level.
Adopt the Zero-Trust Network and Data Model
When your network flows are mapped, authenticated, and encrypted, your security ratings will improve dramatically. Cybercriminals may gain access to one part of your computer system, but with a zero-trust model, they cannot move laterally through your computer systems.
Zero-trust means you do not trust any entity inside or outside the established network perimeter. Part of the cybersecurity protocol that goes along with zero-trust is to require multi-factor authentication from all users or by going all the way to biometric identification.
What Do You Do if You Have a Third-Party Data Breach?
You just became aware of a data breach at your company. What to do next depends on whether hackers stole consumer information from your company server, an employee stole employee information, or information was unintentionally made available on your company website.
What actions must be taken, and who ought to be contacted if it appears that private information has been revealed?
Make Your Operations Secure
Be sure to act swiftly to patch any vulnerabilities in your systems that may have contributed to the incident. Data breaches quickly become worse when there are several of them. So take immediate action to prevent it from happening again.
Secure any locations that are connected to the incident. If necessary, lock them and modify the access codes. Then, ask law enforcement and forensics professionals whether it is OK to restart normal activities.
Immediately mobilize your breach response team to stop further data loss. The specific actions to take may vary depending on the type of breach and how your company is set up.
Take Down Information That Is Online
Remove any incorrectly uploaded personal information from your website immediately if the data breach impacted it. Be aware that search engines on the internet “cache” or retain information for a while. To ensure that search engines do not archive personal information submitted inadvertently, you can get in touch with them.
To ensure that no other websites have saved a copy of the disclosed data from your firm, search for it. If you find something, get in touch with those websites and urge them to take them down.
Interview the individuals who found the breach. Additionally, ask anyone else who might be familiar with it. Finally, ensure the workers at your customer care center know where to send information that might help your investigation of the incident.
Alert the Necessary Parties
Notify law enforcement, police, other impacted organizations, and affected individuals when your company suffers a data breach.
Find out what the law requires of you. All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed legislation mandating notice of security breaches involving personal information.
There could also be other rules or regulations that apply to your circumstance, depending on the categories of information implicated in the breach. Check state and federal laws and regulations for any requirements that apply specifically to your company.
It’s overwhelming to figure out what to do in the heat of the moment. Therefore, incident response plans are imperative. Comprehensive response plans outline the roles, responsibilities, and activities that need to occur in the event of a data leak or security breach.
Overcoming Resistance from Your Third-Party Vendor
Preventing third-party data breaches and other cyberattacks is a steady job that may seem overwhelming for small business entrepreneurs. Cybercriminals target credit card data, Social Security numbers, and personal information. Sometimes, you may be stuck with a third-party vendor that is reluctant to follow best practices but is the only one in its field of service.
If that’s the case, then matters come down to the level of risk your organization is willing to accept and which cybersecurity measures you have in place to help prevent the poor practices of a third-party vendor from hurting the core of your business.
Through education, you may convince your vendors about the importance of security standards. A third-party vendor may welcome a well-developed risk management plan as an addition to security basics such as protecting against malware, ransomware, and phishing. Share access to information security training webinars and other materials to help develop their interest.
No matter how you broach the topic, think “security first” when pursuing a third-party vendor relationship. It will ultimately lead to fewer third-party data breaches!
Improve Your Cybersecurity with the Reciprocity ROAR Platform
Cybercriminals don’t take a rest, so let us help you keep track of the new cyberattacks and scams that pop up daily. The Reciprocity ROAR platform is an intuitive and easy-to-use platform that keeps an eye out for new compliance issues and regulations while you work on your business.
It’s challenging to manage third-party providers and their hazards to your company using spreadsheets or other conventional techniques. This vendor risk management program will streamline your onboarding and vendor risk assessment processes.
The platform combines a straightforward user interface with sophisticated automation and analytics to simplify the entire process. Additionally, it uses inherent risk analysis to evaluate appropriate supplier controls and conduct supplier due diligence.
Managing third-party risk is essential regardless of the size of your business or the sector you are in. Take action before it’s too late and adopt a risk and compliance system that scales as your business grows, automatically analyzes risks, and identifies potential hazards.
Get a Free Demo today and get the advantage of the ROAR Platform.