Modern organizations are interconnected in so many different ways that a single data breach can cause a tsunami of cybersecurity incidents, and it doesn’t matter if the initial breach affected a contractor, SaaS vendor, or some other third-party service provider.
The problem is that third-party data breaches are notoriously difficult to defend against, which is one reason why nearly 50% of organizations have experienced a significant data breach caused by a third-party vendor, according to this eSentire survey!
So, is there anything at all that can be done about this dangerous cyber threat? Yes, quite a lot. But before we explain the top five ways your organization can prevent a third-party data breach, let’s first briefly discuss the importance of third-party risk management.
Understanding the Impact of Third-Party Data Breaches
Back in 2013, cybercriminals managed to successfully infect Target’s HVAC vendor with general-purpose malware known as Citadel through an email phishing campaign.
The malware allowed them to steal login credentials, which, in turn, let them access Target-hosted web services dedicated to vendors. From there, it was just a matter of finding an exploitable vulnerability and moving across Target’s vast network.
When the dust finally settled, as many as 40 million customer credit card accounts, and up to 110 million sets of personal information, had been stolen. The data breach cost Target $252M, and its reputation has yet to fully recover.
Third-party data breaches such as this are not uncommon.
In fact, they happen every day and frequently result in an unintended disclosure of administrative passwords, private keys and certifications, credit card and social security numbers, email addresses, phone numbers, and other sensitive information.
A 2018 Ponemon Institute study found that 57 percent of respondents did not know their organizations’ vendor safeguards were sufficient to prevent a data breach, while 31 percent of respondents surveyed for the State of Third-Party Risk Management report stated that their vendors were a material risk in the event of a data breach.
Those are worryingly large numbers considering the potential consequences a third-party data breach can have.
What’s more, the financial impact of a third-party data breach is amplified by stringent data protection regulations, such the EU’s General Data Protection Regulation or the California Consumer Privacy Act, and the steep penalties imposed by them.
Third-Party Data Breach Prevention Tips
Your organization’s security will always depend on your vendors’ ability to keep their systems and data secure, and that’s not something you can influence directly. However, you can influence your vendor relationships, and our third-party data breach prevention tips reflect this.
1. Assess Your Vendors Beforehand
Business and romantic relationships alike can be difficult to end, so you should always go the extra mile to ensure that you won’t end up in a toxic one. And what can be more toxic than a relationship with a third-party vendor whose poor cybersecurity puts your organization at risk?
If you know what to look for, you can assess potential vendors using a vendor risk assessment questionnaire, a type of questionnaire whose purpose is to identify potential weaknesses among your third-party vendors.
More and more vendors these days assess their cybersecurity using security ratings, which are data-driven measurements of an organization’s security posture created by a trusted, independent security rating platform. Thanks to their easy-to-understand nature, security ratings help reduce operational overhead during vendor selection, and they provide useful insights even without expert knowledge.
2. Limit Access to Your Network and Data
It’s never a good idea to give a vendor unlimited access to your entire network. Instead, you should follow Privileged Access Management (PAM) best practices and give elevated permissions to critical resources only to those vendors that actually need them, when they need them. Since your vendors’ roles and responsibilities are likely to change over time, you need to review their access rights regularly and modify them as needed.
In addition to restricting privileged access, you can also protect yourself against the consequences of a third-party breach by encrypting as much data as possible. That way, sensitive information can be kept secret even when attackers successfully breach your defenses and manage to get into your network.
3. Continuously Monitor Your Vendors
Many organizations make one crucial mistake that significantly increases their third-party risk: they don’t continuously monitor their vendors. The truth is that passing a single cybersecurity risk assessment is not nearly as difficult as ensuring ongoing protection against evolving threats.
Even the most comprehensive vendor risk assessment questionnaire provides only a single snapshot of a vendor’s security posture. As such, it can’t warn you about risks arising over the course of your relationship with the vendor.
When continuously monitoring third-party vendors, it’s useful to look for both quantitative and qualitative indicators. The former kind includes various numerical data that can be objectively captured and measured, while the latter includes things such as anecdotal observations. A capable vendor management system can make this much easier, especially when monitoring multiple vendors.
4. Say Goodbye to Vendors That Put You at Risk
Unless you get extremely lucky, it’s very likely that you’ll, sooner or later, encounter a vendor that puts your organization at risk with its poor cybersecurity practices. When that time happens, you need to be ready to cut all ties with the vendor.
When offboarding a vendor, there are a few things you should always place on your checklist. To start with, you need to remove the vendor’s access to your data and systems. If the vendor had access to your physical facilities, remove it as well. Next, make sure that all goods or services that were supposed to be delivered were actually delivered. Finally, don’t forget to settle all outstanding invoices to avoid future disputes.
5. Pay Attention to Early Signs of Third-Party Data Breaches
No matter how hard you try, it’s impossible to enjoy complete protection against third-party data breaches. But don’t let this fact discourage you because you can still control the impact of the data breach by paying attention to its early signs and stopping it right at the very beginning.
Common early signs of third-party data breaches include unusual file changes, suspicious network activity, and abnormal administrative user activity, just to give some examples.
We Help Prevent Data Breaches By Third Parties
At OSIbeyond, we offer continuous monitoring services that can help you spot these and other signs of third-party data breaches. Our services include central log aggregation through a Security Information Event Management (SIEM) platform, which is, in turn, monitored by a team of analysts in a Security Operations Center (SOC).
Get in touch with us for more information about our cybersecurity solutions.