As the infamous SolarWinds Attack wreaked havoc on several organizations around the world, the importance of including supply chain risk management in an organization’s security framework became glaringly clear. The attack served as a reminder that security and privacy risks can come from a variety of vectors, including third-party service providers and vendors.
Even though third-party vendors, suppliers and partners are an indispensable part of a company’s business, they also serve as a strategic target for cyber criminals. Third-party data breaches can have devastating consequences not only for the victim organization but also for everyone else involved.
According to a report by Ponemon Institute, 51% of businesses have suffered a data breach caused by a third party, with 44% suffering a breach within the previous 12 months. Out of these 44% organizations, 74% data breaches were the result of giving too much privileged access to third parties.
Consequences of a Third-party Data Breach
When organizations do not take appropriate measures to shield themselves against third-party risk, they leave their business vulnerable to both security and non-compliance risks. These data breaches can be extremely disruptive and have some severe consequences for your business, including:
1. Financial Losses
Data breaches are expensive regardless of how they are caused. As per the Cost of a Data Breach report by Ponemon Institute and IBM, $3.92 million is the average cost of a data breach, while $150 is the average cost of each lost record. One of the factors that can amplify the cost of the breach is who caused it. A breach costs more if a third party is involved. According to the report, the cost of a third-party data breach tends to increase by over $370,000 and $4.29 million is an adjusted average total cost of these data breaches.
2. Legal Battles
If your organization suffers a third-party data breach, you will be held liable for any customer records exposed during the breach, exposing you to costly state investigations and class action lawsuits. These legal battles and investigations will not only cost you dearly in the form of legal fees but also hamper your everyday business operations.
3. Exposure of Sensitive Information
Third-party data breaches don’t just result in the loss of funds or customer information. They can also cause the loss of your intellectual property. Ranging from data-stealing malware to ransomware that locks you out of your business data and threatens to sell it if the ransom isn’t paid, there are several attack vectors that can expose your company’s proprietary information and cause great damage.
4. Damaged Reputation
One of the worst consequences of a data breach, regardless of whether it is caused by you or a vendor, is the damage to your company’s reputation. Even if the data breach is in no way your fault, all that matters to your customers is that they trusted you with their information and you let them down. This can also have a huge financial impact on your business.
“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”
– Stéphane Nappo, CISO at Société Générale International Banking
Some Disruptive Third-party Data Breaches
There have been a series of security incidents involving third-party breaches all around the globe. Here is a list of some of the recent third-party data breaches that have occurred worldwide:
1. In April 2021, the Pennsylvania Department of Health announced a data breach that involved a third-party vendor engaged to provide COVID-19 contact tracing. As the result of this breach, the personal information of many Pennsylvania residents was potentially compromised. The breach occurred when the vendor company’s employees used an unauthorized collaboration channel. This is another example of the growing significance of cyber security in the healthcare industry.
2. India’s second-largest stock broker, Upstox, suffered a data breach in April, 2021 that affected its 2.5 million customers. Over 56 million KYC data files were leaked including email IDs, date of birth, passports, PAN, etc. The infamous hacker group ShinyHunters gained access to the KYC details and contact data by compromising a third-party warehouse.
3. TriHealth medical system, based in Ohio, suffered a third-party data breach, resulting in the compromise of patient and employee data. TriHealth works with a law firm called Bricker & Eckler, which experienced a breach of their email systems, leading to the exposure of personally identifiable and protected health information of certain TriHealth employees and patients. The law firm is contacting all the compromised individuals and has added new security protocols. These kinds of attacks are specially distressing as the sale of healthcare data on the dark web has become a major security issue.
4. The popular wireless parking company ParkMobile was hit by a data breach caused by a vulnerability in a third-party software. It is believed that the breach affected over 20 million accounts across the US. Basic information such as user email addresses, phone numbers and car license plates may have been stolen. The encrypted passwords were also accessed, however, the encryption keys required to read the passwords are still safe.
How to Prevent Third-party Data Breaches?
As many big and small organizations worldwide are becoming a victim of third-party data breaches, it has become essential to adopt the appropriate risk controls for preventing these breaches. Here are some measures you can take to shield your organization against this threat:
Perform Due Diligence Before Onboarding the Vendor
One of the most important measures you can take to keep your data safe is to thoroughly analyze your vendor’s cyber security risk before you onboard them. Make sure to check the vendor’s cyber security policies, controls and procedures for performing a thorough assessment of their cyber security posture. Avoid providing the vendor with access to PII data before estimating the cyber risk they pose.
Limit the Vendor’s Access to Data
The most effective way of preventing a third-party data breach is to limit a vendor’s access to your data. Providing every vendor with unrestricted access to your data can significantly increase the likelihood of a data breach. You can limit data access depending on a vendor’s security posture. Make sure your vendors can only access the data they need to get on with their jobs and nothing more.
Keep Tabs on the Vendor’s Cyber Security Controls
It is imperative to regularly monitor your vendors’ cyber security protocols. Hackers come up with new and sophisticated techniques for bypassing security controls every day. So, it is essential that your vendors constantly keep their security protocols and controls updated as well.
Train your Staff
You employees enjoy access to lots of confidential and sensitive information, which can cause significant damage if compromised. To keep this data secure, it is essential to make sure that your employees are vigilant enough to prevent this data from getting leaked. They should know the consequences of sharing confidential data with outsiders, regardless of whether they are trusted vendors or loyal customers. Organizations should provide their employees with cyber security awareness training to make them cyber aware and responsible. You can use tools like ThreatCop to effectively generate cyber security awareness among your employees.
Conduct Periodic VAPT
Conducting Vulnerability Assessment and Penetration Testing (VAPT) helps you in identifying all the weaknesses and flaws in your organization’s cyber security infrastructure including your third-party risk management policies. Once detected, fix these vulnerabilities on priority to keep your business data safe.
So, take these precautions to protect your company against the threat of third-party breaches. Did I miss some tips? Leave a comment below!