Third-Party Breaches: How Secure are Your Vendors?
Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches
Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of its vendors, telephonic software and data company NICE Systems, left the information of 14 million Verizon customers on a misconfigured Amazon server.
This incident did not happen in a vacuum. Other recent third-party breaches affecting major organizations include:
- The Republican National Committee (RNC), whose data analytics vendor exposed the data of 198 million voters after leaving it on – you guessed it – a misconfigured Amazon server.
- Trump Hotels, which, along with chains such as Hard Rock and Four Seasons, had its customer data exposed after a breach at its reservations vendor, Sabre Corporation.
- A number of Google employees were also impacted by the Sabre breach because Google’s third-party travel management company used Sabre’s systems – meaning this breach happened at the third-party vendor of a third-party vendor.
- Netflix, which had the upcoming season of its hit series Orange Is the New Black dumped online after a hacker breached a third-party post production house, Larson Studios. It has since been discovered that the hackers got into Larson’s systems by taking advantage of the fact that the company was running an antiquated version of Windows.
Third-Party Breaches Common in the Age of Outsourcing
Once a dirty word, outsourcing is a normal part of doing business in the 21st century. Organizations of all sizes routinely retain the services of third-party business partners to take care of all manner of functions outside their core competencies, from cloud storage to customer billing to payroll services. Unfortunately, because so many business functions are now outsourced, third-party breaches have more common than primary data breaches; an estimated 63% of all enterprise breaches can be traced back to a third-party vendor.
If one of your vendors gets hacked, don’t expect to be able to point fingers and pass the buck. Even if your business partner makes a colossal mistake, your organization will be the one that’s held responsible by your customers, any affected banks, and regulatory bodies. The infamous Target breach, which cost the company nearly $300 million and shook up its C-suite, involved a third-party vendor.
Protecting Your Organization from Third-Party Breaches
As with primary cyber attacks, the best way to deal with third-party breaches is to prevent them from happening in the first place. While you cannot dictate to your business partners how they should run their firms, as their paying customer, your enterprise is not without recourse:
- Understand your enterprise ecosystem so that you can build risk profiles for all of your business partners. Who are your business partners, and what service does each provide? What level of access do they have to your data and systems?
- Understand who your vendors are subcontracting to and whether they will have access to your data. As in Google’s case, a breach at a third-party vendor used by one of your third-party vendors can come back to haunt your organization.
- Include cyber security provisions in your vendor contracts, including security measures your business partners must take regarding their own vendors.
- Give your vendors the minimum level of access to your systems and data that they need, and no more.
- Only do business with IT services vendors who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have undergone rigorous security audits and have proven their commitment to the highest levels of data security.
Further to the above, if your business provides IT services to other businesses, obtaining the appropriate data security certifications is a wise investment that will help you instill trust in your customers. Continuum GRC’s IT Audit Machine (ITAM IT audit software) RegTech solution empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, AT 101, CJIS, DFARS, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP and other federal and state mandates.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.