Poor third-party security is your problem, too
You can’t do business without third parties, but too often their poor security practices put your organization in danger.
SolarWinds. It’s a name that sends shivers down the spines of cybersecurity experts and CISOs everywhere. Why? It is just the latest (and perhaps most egregious) example of yet another highly successful hack of business and government networks using a trusted third-party as the vector. In this case, a Trojan injected into a software update to a widely used SolarWinds infrastructure and network management platform called Orion infected 18,000 SolarWinds customers including many U.S. federal agencies.
Target is another name that elicits similar responses. Although not as far reaching as the SolarWinds incident, the Target hack got a lot of press a few years back because the attackers gained real-time access to thousands of Target point-of-sale terminals by hacking one of Target’s HVAC vendors first—during Christmas, no less.
There are many other examples from just the past 18 months or so: T-Mobile, GE, MGM Resorts, LifeLabs, Facebook, Capital One, Marriott, and Quest Diagnostics all suffered major data breaches because of a hacked vendor, supplier, or service provider.
Dealing with third-party breaches
These incidents have not gone unnoticed. According to the Deloitte Extended enterprise risk management (EERM)Third-party risk management (TPRM) global survey 2020, boards of directors and senior executives “are increasingly concerned about the rising cost of getting third-party risk management wrong. This reflects the trend of a growing dependence on critical third-party relationships.” Most survey respondents cited cyber risk and information security as top concerns, which explains why most of their budget for managing third-party risk is aimed at these two areas.
While the extent of the SolarWinds hack is still being uncovered, what is known is very concerning. The hackers (believed to be Russian) were able to remain undetected for six months or more. These advanced persistent threats (APTs), where hackers gain network access and then sit, watch, and wait for just the right opportunity to do launch an attack, are becoming more prevalent as anti-malware tools become better at stopping tried-and-true threat vectors like sending malware laced files sent via email to infect corporate networks.
Third-party risk by the numbers
Two other factors driving the threat from third parties are cloud and the massive numbers of employees (yours and theirs) now working from home due to the COVID-19 pandemic. As more organizations turn to cloud providers for everything from infrastructure to apps to support these employees, save money, and enable digital transformation, they are expanding their attack surface exponentially. Cloud providers store lots of sensitive data on their servers and they, too, have extended relationships with the vendors, suppliers, and service providers whose security practices are unknown to you.
Given that the average number of parties with whom an enterprise-class organization shares sensitive information with is 583, as our internal research indicates, addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk.
According to the Ponemon Institute, 53% of organizations have experienced one or more data breaches caused by a third party. The legal and regulatory consequences of leaked data often include fines, penalties, and damage to reputation and brand that drives up customer acquisition costs and decreases lifetime customer value. Shareholder value can take years to recover, if ever. (We’re still talking about Target, after all.)
In August 2020, CybelAngel researchers conducted an analysis of third-party data leaks at 50 businesses over an 11-month time period between September 2019 and July 2020. Organizations of different sizes, industries, and geographies were included in the sample. In that time, our researchers were able to access data on 3,981 publicly accessible servers, databases, and cloud applications. These leaks ranged in criticality from minor to severe, but all of these leaks were potentially damaging to the companies in the study.
Third parties were involved in:
- 39% of all code data leaks
- 62% of all critical level incidents
- 93% of leaked documents from unprotected file servers
Given that more government regulation of third-party risk is the likely outcome of so many high-profile breaches of customer data, it is clear that organizations large and small need to work with third parties who are competent risk managers.
How CybelAngel can help enterprises
Companies can no longer afford to rely on outdated methods to assess third-party risk. Questionnaires, policies, and processes reviews have simply become ineffective in today’s world. To stay one step ahead of the bad guys means fielding every tool and technology at your disposal to stop today’s data breach before it becomes tomorrow’s headline. This is where CybelAngel can help. Our Digital Risk Protection Platform keeps your organization safe by:
- Constantly scanning for leaked documents outside of your enterprise perimeter, including surface web, the Dark Web, domain name servers (DNS), cloud applications, connected storage, and open databases and datasets
- Uncovering confidential and sensitive data quickly, before it is stolen and exploited
- Using AI and machine learning to scan, classify, and filter hundreds of thousands of data sources, thousands of files, and hundreds of threats to eliminate false positives and prioritize the data leaks that are most likely to become major breaches.
Our Third-Party Risk Assessment provides enterprises an evaluation of their strategic suppliers in just 5 business days. The result is a comprehensive Cyber Exposure Report, which includes:
- Cyber exposure risk assessment of the third-party(ies) of your choice (partner, vendor, supplier, etc.)
- Detailed analysis by incident, including severity and risk evaluation on sensitive data leaking
- Benchmark against industry peers
- Expert recommendations for remediation of identified vulnerabilities