Data breaches are nothing new – continuing with their terrifying stories of 2019, the first quarter of 2020 has seen data leaks firmly taking their place in the news. While this included the prevalent phishing, malware, virus, and ransomware attacks, breaches caused by third parties were also found to cost millions of dollars to businesses over the recent period.
To operate in the interconnected digital world, organizations need to avoid the potentially exorbitant third-party breaches, which can possibly bring additional costs than an internally caused data breach.
To equip against such serious threats, you need to ‘know the enemy’ well, and for that, read on…
Third-Party Breaches – Know It Better
A recent survey conducted by the Ponemon Institute shows that 53% of organizations have experienced one or more data breaches originated with third-party vendors, costing an average of $7.5 million to remediate.
These numbers are the real representatives of the new third-party breach issue that has plagued businesses recently.
While most organizations are still grappling with safeguarding their own data, and networks, avoiding attacks that target any of the third parties involved, such as business partners, service providers, email providers, etc. adds a new layer of complexity.
In most cases, companies have a vast partner network consisting of many smaller partners. These can be more obvious targets for attackers, even when the target business itself has already implemented a security program in-house.
A recent example is a compromise suffered by P&N banks.
P&N Bank Breach: Into The Details
P&N, the largest member-owned bank in Western Australia, had been hit with a data breach in which the personal customer information, such as names, addresses, email addresses, phone numbers, customer numbers, age, account number, and account balance, was exposed.
The issue happened in December 2019 due to a cyberattack on its Customer Relationship Management platform during a server upgrade on an outside hosting service. They didn’t disclose the number of persons affected, and the name of the third party they approached for hosting services. The details of how the breach happened are also not available.
However, the incident is one of many that shows how risky is an organization’s data to threats outside the control of their defenses.
Are We Secure..?
Does your company share any data with marketing companies or companies that handle billing? Does it outsource deliveries to a company that has access to your sales data? Does a third party monitor your physical security systems?
If yes, be informed that managing third-party cyber risk entirely is out of your direct control.
However, here’re specific steps, which you may take to reduce such occurrences of third-party data breaches, to an extent.
- Who Are Your Vendors? The question may seem simple, but it’s essential to understand who all are in your organization’s extended ecosystem. Once you are ready with your vendors’ list, the next important point is to know what data and networks are shared by your team with each of them. Do they really require the level of access they possess? If not, go, set some limits.
- Who Are Your Third Parties’ Third Parties? As important as knowing your third parties are, identifying who is in their extended enterprise. So, make sure to take an inventory of all Nth parties with whom your third party organization has a relationship.
- Make Sure To Include Risk management Into Your Contracts: Follow the practice of incorporating cybersecurity risk into your third party vendor contracts. Indeed, this won’t deter a third-party breach, but this will keep the vendor responsible if their cyber risk posture changes, and they fail to resolve it. Also, make sure to include in the contract a condition that third parties should mandatorily provide information about all their possible third-parties with whom they will be sharing sensitive information.
- Keep An Eye On Security Standards: Standards are crucial factors to ensure compliance. In case your organization is governed by standards like PCI DSS Compliance, HIPAA, SOX, or other advanced sets of IT security standards, it is necessary to get them enforced among your third party vendors too.
- Regularly Evaluate Your Vendors: Keep aside traditional static third party monitoring, like questionnaires; the most efficient way to ensure your data protection, is continuous cybersecurity monitoring.
Need More Advice?
Remember, a single vulnerability of a trusted vendor creates a plethora of possibilities for hackers to obtain access to your organization’s and your customers’ sensitive data. Unless you follow all the right approaches to third-party cyber risk management, you won’t be completely secure. Besides the aforementioned fundamentals, following advanced preventive measures to identify and mitigate your risks from third-party vendor breaches is something you can do in this scenario.
Contact our expert team at Cybernetic Global Intelligence (CGI), an Aussie cybersecurity company with years of experience in delivering excellent cybersecurity services. You may either call at 1300 292 376 or drop a mail to Contact@cybernetic-gi.com for help at, anytime.