Don’t Let Trusted Vendors Become Cyber-Breach Enablers

Why your company’s business partners may be its weakest link

By now, most companies have gotten the message that failure to implement cybersecurity best practices exposes their enterprise to alarming risks. But what many don’t realize is that their attack surface may be larger than they think – and the weakest link may exist outside their organization with their business partners.

From cloud providers to professional service firms to outside software and hardware, almost every business relies on third-party vendors to support core functions – and it’s common for many of these vendors to have access to internal systems and sensitive data. The average business surveyed for the Ponemon Institute’s 2018 Data Risk in the Third-Party Ecosystem report shares confidential and private information with a whopping 583 third parties.

Embedded in this interconnectivity is an inherent risk that must be addressed, especially as a growing number of regulations hold businesses responsible for making sure their vendors protect critical data. In today’s climate, managing the cybersecurity compliance of third parties is no longer just a good idea –it’s a necessity.

A third-party attack – also known as a supply chain or value-chain attack – takes place when a bad actor enters a company’s network through an outside partner or provider. The most infamous example happened in 2014 when attackers used credentials stolen from an HVAC vendor to steal the private data of 70 million customers and 40 million credit and debit cards from retail giant Target.

Other instances abound. Equifax blamed its massive breach on flawed outside software. The leak that formed the basis of the Paradise Papers – which delivered 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities to news outlets – allegedly came from a law firm.

Even worse, ending the vendor relationship doesn’t also end the risk. Domino’s Australia blamed lax security at a former vendor for a data breach that leaked customer details in 2017.

More than 60 percent of U.S. organizations have suffered a data breach that started with a vendor or third party, according to the Ponemon Institute report. But despite this concerning statistic, only 34 percent maintain a comprehensive list of the third parties they share confidential and sensitive information with, the report said.

The situation becomes even murkier in regard to “Nth parties,” or vendors that are used by a company’s vendors. Only 12 percent of businesses believe they would be informed about a breach at a relevant Nth party, and only 15 percent said they even know how Nth parties are accessing or processing their data, the report said.

Vendor breaches can expose your business to hefty fines

Here’s how third-party attacks usually work: Cybercriminals target a business that stores valuable information they can use to turn a profit, such as credit card numbers, Social Security numbers, and bank account information.

Reconnaissance begins, and a quick Internet search reveals at least some of the organization’s third-party relationships. If hackers struggle to penetrate its main target’s security defenses, many times they will move on to its vendors, which are typically smaller businesses and more likely to lack robust cybersecurity measures.

Once criminals gain access to the vendor’s network, they will try to “pivot” into the original target – meaning they will use a compromised device to access other devices. If the vendor doesn’t have the right security controls in place to detect a bad actor in its system, the hacker could patiently wait for days or even months before gaining the necessary credentials to infiltrate its target’s network. Once they do, they have unfettered access to steal or manipulate data, deploy ransomware, or achieve other malicious goals.

With so much at stake, it’s no surprise that regulators are taking a hard look at third-party risks. New York’s groundbreaking cybersecurity regulation, 23 NYCRR 500, threatens hefty fines to financial service companies that don’t insist upon strong cybersecurity practices at entities they do business with. The European Union’s General Data Protection Regulation (GDPR) also requires covered businesses to manage third-party risks, as does California’s new Consumer Privacy Act (CCPA).

How to manage third-party risk

Of course, proper oversight of third-party attacks matters for more than just compliance benefits. The average data breach costs U.S. companies $7.91 million. Perhaps just as damaging is the reputational harm that occurs when angry or frightened consumers and investors stop doing business with companies that exposed sensitive information to hackers.

But even if your organization implements the industry’s best cybersecurity practices on its own systems, working with third parties with poor security measures leaves it exceedingly vulnerable to cyber-attacks. Here are seven steps companies can take to strengthen their third-party cyber-defense programs:

  1. Vet your vendors. Create a process for vetting a third party’s security measures before entering into a relationship.
  2. Formalize expectations. A data directive that documents data ownership and management is essential for third-party contracts. Key points that need to be addressed include how your company’s data is handled, who owns the data, who has access to it, how long it will be retained, and what happens to it if the relationship ends.
  3. Understand the big picture. Build an inventory of all third parties that have access to your company’s sensitive data, as well as how many of these parties are sharing your data with others. Be sure to highlight which vendors would have the biggest impact on your organization if a breach occurs based on the sensitivity and volume of data they are handling.
  4. Perform regular audits. Implement formal processes to regularly evaluate the security and privacy practices of third- and Nth-party vendors, and to ensure they are meeting obligations set forth in your service-level agreement. Don’t forget to address security measures surrounding new technologies, such as the Internet of Things (IoT) devices. Continuously assessing your vendors’ security hygiene will help you address issues before problems occur.
  5. Monitor high-impact vendors carefully. Pay special attention to your high-impact vendors, keeping an eye on trends, threat scenarios, and changes in their security posture. It’s also wise to ask these vendors for data flow diagrams so you understand where your data is going and whether there is an Nth vendor you need to investigate, like a backup storage provider.
  6. Demand transparency. Insist that third parties notify your company before sharing your sensitive data with Nth party vendors.
  7. Keep the board in the loop. Educate your company’s senior leadership and board of directors about third-party risk management programs. Encouraging high-level attention to third-party risk goes a long way toward achieving the budget you need to address these threats.

In today’s connected world, it’s nearly impossible to avoid giving third-party vendors access to your company’s network. But when you do, you are significantly expanding the avenues that threat actors can use to weasel into your systems and expose your business to significant reputational, financial, and regulatory risks. An exceptional cybersecurity provider can not only implement next-generation security controls that safeguard your organization from cyber-attacks – but they can also help you ensure that your vendors are taking cybersecurity as seriously as you do.

CyberGuard360 is trailblazing a new software category with CyberGlass, the first and only cybersecurity product on the market to combine all the elements of a complete cybersecurity program in a single interface. To learn more about its full suite of features, including behavior analytics, next-generation endpoint protections, and scripted and automated response through a machine learning engine, call us at 844-315-9882 or use our contact form for a free consultation.