Third Party Risks
There is a growing number of security threats linked to third party supplier and contractor access and over the last few years the media spotlight has shone on high-profile companies, such as Equifax, Yahoo, Target, Goodwill, Home Depot and Uber.
The latest high-profile company to make media headlines is PayPal for a recent data breach in which information of up to 1.6 million customers has been stolen. Unknown attackers reportedly gained unauthorized access to PayPal’s payment processor (TIO Networks) locations that stored personal customer and billers’ customer information.
Most data breaches are linked to third-parties such as contractors, suppliers, or vendors.
Most of these breaches occur as the result of third-parties with 63% of all data breaches linked in some way to third-parties, such as contractors, suppliers, or vendors that have access to a business’ system, as reported in the Soha Systems Survey on Third-Party Risk Management.
Yet, while third-parties cause or are implicated in the majority of all data breaches, third-party access is not considered to be an IT priority in terms of IT initiatives and budget allocation.
As companies develop cybersecurity measures, one problem they uncover is that third-party data breaches are the weakest link in the data management chain. It is a business necessity to outsource some, if not all, data management, storage, and processing activities to third-party vendors.
Putting your company’s sensitive data into the hands of a third party carries a degree of risk.
It is not uncommon for hackers to gain access to businesses through third-party vendors and to compromise data. Regardless of how sophisticated your cybersecurity protections are, your data could be exposed if your third-party vendor has cybersecurity vulnerabilities.
Third-party data breaches are a serious risk to business and you have much to lose if you don’t take the security of your vendors seriously.
Not only are the financial costs phenomenal, it is a PR nightmare and requires extensive efforts to repair reputation damage and regain consumer trust.
The Home Depot has recently come to a $25 million settlement to pay banks for damages they incurred resulting from a 2014 security breach, one of the largest in history for a data breach.
The settlement also requires Home Depot to tighten its cyber-security practices and to subject its vendors to more scrutiny—a measure tied to the fact that a security flaw by a third-party payment processor made the hacked self-checkout terminals vulnerable.
Home Depot has already paid at least $134.5 million in compensation to consortiums made up of Visa, MasterCard, and various banks and also last year agreed to a $19.5 million settlement to affected customers that included a $13 million cash fund as well as credit monitoring services.
This far exceeds the $18.5 million multi-state settlement by retailer Target following a 2013 cyber attack that affected over 41 million customer payment card accounts.
Hackers broke into Target’s network using login credentials stolen from a third-party HVAC vendor that does work for them. The massive data breach may have resulted partly from the retailer’s failure to properly segregate systems handling sensitive payment card data from the rest of its network.
High-profile breaches highlight the need for third-party service provider due diligence and companies are advised to safeguard third-party management agreements.
While your business may not be a large retail giant like Home Depot or Target, your business could be exposed to the same dangers if you neglect to factor in third-party service provider security risks. Regardless of your company size or industry, it is important to recognize the seriousness of data breaches and to protect your business by making security a priority for your vendors as a first step to mitigating some of your business’s cybersecurity risk.
Take Steps to Limit Your Third-Party Risks
Steps can be taken to limit your exposure to third-party security risks. The first step to safeguard your organization from security threats posed by third-party service providers is to start from within. Ensure that you have multi-layered security that covers your entire enterprise to include all users, all endpoints, all devices, all applications and all data.
Multiple layers of protection should include encryption, identity and access management, and two-factor authentication for all network and data access requests from third parties. Make sure there are correct policies in place and governance in place so that there are the right controls, visibility and accountability, id management and access controls in place.
It is advisable to perform a third-party vendor assessment for each potential third-party relationship.
Risks should be evaluated in terms of quantifying information, integrity, technology and financial risks. When hiring a third-party vendor, businesses can benefit from negotiating a contract with the vendor that specifically details the types of security measures and safeguards that the third-party vendor must use when handling data for the business.
In addition to the initial assessment, it is important to continuously assess the vendor’s security standards and best practices to determine if they continue to meet those of your organization. Ongoing risk measurement and monitoring, performance measurement and monitoring, and incident tracking are important activities for determining when or whether to renegotiate agreements with third parties.
It is important to ensure that your third-party vendors know how seriously your company takes cybersecurity, so that they will take it seriously as well.
Making cybersecurity a top priority for third-party vendors by putting in place a business agreement with the vendor and having a culture of cybersecurity risk management awareness and education can go a long way in reducing vendor-related security risk.
By having a proactive attitude of prevention throughout your organization, you are demonstrating to your customers and vendors that your company views cybersecurity as a top priority.
Don’t wait until a breach occurs before you treat data security as a top business priority.
Businesses are responsible for the data that they collect, transmit, use, and process, even if it is entrusted to a third-party vendor.
Talk to the team at Ascension Global Technology to find out more about multi-layered cybersecurity protections for your company to reduce your in-house risks. Our advisors can assess your current cybersecurity risk profile, provide you with multi-layer cybersecurity solutions and tell you more about how you can reduce your how to minimize your third-party security risks.
References and further information:
Security Magazine, 6 Best Practices that Reduce Third-Party Cybersecurity Risk
Security Magazine, 4 Steps to Mitigating Third-Party Vendor Cybersecurity Threats
Security Magazine, Target Traces Security Breach to Stolen Vendor Credentials
Industry Week, Third-Party Risk and What to Do About It
Computer Weekly, Bad outsourcing decisions cause 63% of data breaches
TechTarget, Goodwill breach highlights need for service provider due diligence
CNN Tech, Uber’s massive hack: What we know
CNN Tech, Uber paid hackers $100,000 after they stole data on 57 million users
Federal Trade Commission, The Equifax Data Breach: What to Do
USA Today, Target to pay $18.5M for 2013 data breach that affected 41 million consumers
Computer World, Target breach happened because of a basic network segmentation error
TechTarget, Third-party risk management: Horror stories? You are not alone
ZDNet, PayPal’s TIO Networks reveals data breach impacted 1.6 million users