A third-party data breach happens when your vendor or business partner’s computer system is compromised and exposes your sensitive data. Any vendor in your business ecosystem is vulnerable to attacks by cybercriminals, and industry experts estimate that about 60 percent of all data breaches happen via third party vendors. Credit card companies are big targets as are email service providers, and internet and cloud service providers.
IBM and the Ponemon Institute report that on average a company takes 280 days to detect a third-party data breach. Why so long? One reason is that cybercriminals have become much better at operating in stealth mode once they get inside your computer system. Another, more sinister reason is that some third-party vendors may attempt to hide a data breach from clients, perhaps because the vendor lacked security controls that could have discovered the breach earlier.
Either way, the consequences and cost to recover from a breach can be detrimental to your business and your bottom line. Some industry reports list the average cost of recovery and remediation at more than $7 million.
Common Data Breaches Caused by Third-Party Vendors
Phishing and ransomware attacks have been spiking — especially during the COVID pandemic, which sent many employees to work from home using VPN connections that perform at various levels of security. Phishing and ransomware are common cybercrime tools that may lead to the following types of data breaches:
- Unauthorized access via a company email account. That’s what happened to General Electric when it experienced a breach that exposed personal data such as marriage certificates, passports, driver’s licenses and tax withholding forms.
- Hacking of an email provider. T-Mobile experienced this when it lost control over customer information for about 1 million of its clients.
- Lack of encryption. Health Share of Oregon, which coordinates care for Medicaid clients in the state of Oregon, had an unencrypted laptop stolen and exposed personal information for more than 650,000 clients.
- Unsecure websites and improperly stored login information. A website bug allowed access to thousands of passwords and usernames for Instagram accounts via the third-party Social Captain.
These breaches are bad enough on their own. Even worse is that by the time they are discovered, the sensitive information lifted by cybercriminals is already available for sale on the dark web. From there it’s used to perpetrate even more scams on unsuspecting customers and clients whose phone numbers and addresses have been exposed.
Preventing Third-Party Vendor Data Breaches and Holding Vendors Accountable
It can be difficult for a business to hold third-party vendors accountable, especially if you don’t have a third-party security policy or program. Ideally, any third-party vendor should apply and enforce the same rigid standards and data security controls that your own company imposes internally.
The Ponemon Institute found that more than 50 percent of businesses have experienced a third-party vendor data breach, and of those afflicted, more than 70 percent suffered that predicament because they allowed a third-party vendor access to too much confidential information.
Audit third-party vendors for compliance.
Some third-party vendors are not open to being audited by partners. If your third-party vendor is resistant to answering simple questionnaires as part of your due diligence during onboarding, you will most likely experience even more resistance to an audit.
Up-to-date data protection measures are central to a good third-party relationship, and the only way to really find out what’s going on is by an audit. The audit should look at how well the organization executes against its security compliance framework. Also, make sure that the audit looks for indicators of compromise or failed past audits, as well as addresses how well the vendor assesses cybersecurity risk.
Require proof of the third-party vendor’s cybersecurity program.
Proving that the third-party vendor has an information security program is only half the battle in the fight over third-party breaches. The third-party vendor should be able to illustrate that it takes risk management seriously, and dedicates resources to its vulnerability management program on an ongoing basis.
Make sure to ask for the most recent results from risk assessments, penetration testing, and compliance frameworks. It is critical that the third-party organization has a robust risk management program and that it also has a supply chain risk mitigation strategy, as well as plans for how to remediate a potential data breach.
Adopt a least-privileged model for data access.
Many third-party data breaches have one thing in common: the third party was provided with more access than necessary to do the job it had been contracted to do. Holding third-party service providers to strict least-privileged access standards will go a long way to improve your network security.
Be especially careful with sensitive data such as Social Security numbers or other personal information. Least-privileged access is the cornerstone of third-party risk management, and a breach will do the least damage when the third-party vendor’s access is restricted to the lowest access level possible.
Adopt the Zero Trust network and data model.
When your network flows are mapped, authenticated, and encrypted, your security ratings will improve dramatically. Cyber criminals may gain access to one part of your computer system, but with a Zero Trust model they will be unable to move laterally through your computer systems.
Zero Trust means just that: do not trust any entity, inside or outside of the established network perimeter, at any time. Part of the cybersecurity protocol that goes along with Zero Trust is to require multi-factor authentication from all users, or by going all the way to biometric identification.
Overcoming Resistance From Your Third-Party Vendor
Preventing third-party data breaches and other cyberattacks is a nonstop job that may seem especially overwhelming for small business entrepreneurs. Cybercriminals target credit card data, Social Security numbers, and all sorts of personal information, and sometimes you may be stuck with a third-party vendor that is reluctant to follow best practices but the only one in its field of service.
If that’s the case, then matters really come down to the level of risk your organization is willing to accept, and which cybersecurity measures you have in place to help prevent the poor practices of a third-party vendor from hurting the core of your business.
You may, however, be able to entice your desired third-party vendor and its other contractors. A third-party vendor may welcome a well-developed risk management plan as an addition to security basics such as protecting against malware, ransomware, and phishing that the vendor already has in place. Something as simple as sharing access to training webinars and other education about information security, may also be a good start for a developing vendor relationship.
No matter how you broach the topic, think “security first” when pursuing a third-party vendor relationship. It will ultimately lead to fewer third-party data breaches!
Discover the full power of ZenGRC
Cybercriminals don’t take a rest, so let us help you keep track of the new cyberattacks and scams that pop up every day. Zen GRC is an intuitive and easy-to-use platform that keeps an eye out for new compliance issues and regulations, while you work on your business.
Get a Free Demo today and get the advantage of ZenGRC.