The news from Human Resources is that employees are happier than ever. Working from home using third-party vendor services makes work easier and more flexible.
The news from IT is less enthusiastic. A recent report showed that a whopping 98% of organizations have at least one third-party provider that has suffered a data breach in the last two years.
Third-party vendor relationships are nothing new to modern business ecosystems.
Most organizations partner with an average of 10 external providers to manage essential needs like web hosting, database management, call center and customer relationship management services, payroll, contracting, equipment management, and more.
From a business perspective, it makes sense to engage third parties to perform non-core business operations. As a type of outsourcing, it’s highly cost-and-resource effective.
From a security perspective, however, those relationships represent potential vulnerabilities.
Why? Because third-party vendors need access to your organizational data to perform the jobs you hired them to do.
How do Third-Party Breaches Happen?
Research revealed that 40% of third-party vendor breaches occurred via unauthorized network access.
Malicious actors gain unauthorized access, usually through stolen credentials, weak or shared passwords, and other means enabled through phishing and social engineering emails and texts.
In other words, a sizeable portion of breaches starts with people. All it takes is a single click.
In a common scenario, a third-party vendor employee doesn’t recognize a phishing email, spoof site link, or malware download.
The cyber attacker may or may not be after your company data specifically. In a ransomware attack, they might want to steal credentials, damage technology, or disable systems.
The problem is that your internal data and, potentially, sensitive customer data that you’re responsible for are now within reach of a cyber attacker or already under their control.
While third-party vendors can have robust cyber security practices, unfortunately, many don’t. In fact, a report by Cyentia revealed that third-party vendors are five times more likely than primary organizations to demonstrate shoddy security behaviors.
Biggest Cyber Security Risks from Using Third-Party Service Providers
Organizations face reputational, financial, and regulatory risks in any cyber security breach. However, with less control over breach response time, remediation, and messaging in security incidents involving third-party vendors, the effects and implications could be more acute. Here are the biggest risks to be aware of.
Data loss and related costs
Data is at the highest risk and frequently the target of cyber attacks for purposes of fraud, identity theft, and account takeovers. In indirect attacks, malicious actors exploit weaknesses in smaller vendors to access richer or more extensive data sources belonging to their larger clients.
Reputational damage and lost business
Data privacy legislation often requires companies to inform their customers in the event of a data breach or compromise. In major incidents, companies risk severe reputational damage from negative publicity. When customers discover that their data was held by a poorly protected third party, brand loyalty erodes. Customers lose trust and go elsewhere, taking valuable revenue streams with them.
Downtime and remediation costs
Cyber security attacks can slow business operations or bring them to a halt. That downtime can be expensive . Organizations lose revenue but need to pay salaries during the recovery period. Remediating breaches can be costly and time-consuming, further incurring financial losses. Cyber security insurance may not cover those costs if organizations don’t have certain precautions in place.
Regulatory fines
Primary organizations are increasingly responsible for customer data for their entire lifecycle. That includes its collection, storage, and management by third-party vendors. If those vendors are poor data custodians, the primary organization may face regulatory risk. Penalties and fines for non-compliance with data privacy and protection laws can be expensive.
Fourth party risk
A partnership with any third-party vendor exposes organizations to their supply chain vendors in turn. When third-party risk turns into fourth-party risk, the challenge of monitoring data, performing audits, and providing cyber security training gets even more complex.
Related reading: What's the Damage? The Truth About the Cost of Data Breaches
Best Practices to Manage Third-Party Security Risks
With more companies opting for remote work and digitally transforming their operations, third-party vendor partnerships are here to stay. Thankfully, legislative and accreditation norms are encouraging more third parties to take action to boost data security. Here are more steps organizations can take to help protect themselves against third-party vendor breaches.
- Make sure third-party vendors have cyber security protections in place
Any time an organization engages a new third-party vendor, they must vet that partner as part of the due diligence process. Ask what access controls are in place and what security testing and auditing they perform, internally and externally. Ask whether and how often they conduct phishing simulations and social engineering testing for employees. Ensure that remediation is done on any gaps they identify.
- Promote best practices through cyber security training
Organizations need assurance that vendor employees have completed cyber security training. Find out which employees can access your data and ask them to sign confidentiality agreements. Make sure they use secure file transfers, VPNs, and multi-factor authentication. Provide training on passwords, credential protection, and detection of malicious emails. Always require third-party vendors to notify you of key staffing changes so you can reinforce data protection best practices among new personnel.
- Specify a breach notification time
The sooner organizations respond to a breach, the better their chances of containing the damage. Sometimes third-party vendors keep breaches quiet and try to remediate problems themselves. Doing so makes them think they are preserving the business relationship and their reputation. To stay informed, organizations should specify breach notification times in contracts.
- Establish security expectations and requirements
Organizations need to see eye to eye on cyber security with each of their service providers. Setting firm expectations and requirements around data protection, controls, and access gives you deeper insight into vendor security postures. If their controls don’t meet your expectations, or if they won’t let you in to remediate a problem, the partnership might be past its due date.
- Check for cyber security certificates
One way organizations secure their operations is by gaining industry certifications in security and risk management. If organizations use third party vendors, they should ensure they have industry accreditations through established frameworks, such as SOC-2 and ISO 27001.
Cyber Security Awareness Stops Risks Right at the Door
Organizations can reduce the risk of cyber attacks and foster positive cybersecurity behavior among downstream employees by including cyber security training in their third-party risk management (TPRM) strategies. After all, when external employees handle your sensitive corporate data, they need to know how you need it protected.
Cyber Security Hub: Access Exclusive Cyber Security Content
For more cyber security tips on breach prevention internal to your organization and in vendors downstream from you, visit our CyberHub.