Who’s really responsible for third-party vendor breachesPublished June 21, 2018 by Maxine Henry • 3 min read
Third-party vendors, suppliers, and partners pose more risks to your reputation and bottom line than ever before. Recent surveys indicate as many as 63 percent of breaches stem from third-party access. Some of the most devastating cyberattacks in recent years, in fact, have occurred not to big companies, but to their vendors.
The sheer number of third-party contractors may be a factor. Enterprises are turning increasingly to contractors to not only save on the costs of hiring full-time employees, but also to fill a temporary need or a very specific niche such as IT or data analysis. As your own circle of trust widens, how will you ensure that your enterprise’s data, that of your clients and customers, will remain safe and secure?
The 2015 hack of the credit-processing agency Experian, among other high-profile vendor breaches, indicates the damage that could happen to your business if just one of your vendors, suppliers, or partners drops the ball on security. Cybercriminals breached Experian’s database, but it was T-Mobile’s data they stole—confiscating personal data on 15 million T-Mobile cellular service customers.
T-Mobile’s CEO said he was “incredibly angry” about the breach, and rightly so: Experian had neglected to install security patches. But whose job was it to safeguard that data? Several class-action lawsuits are pending against both organizations, holding T-Mobile equally responsible.
Regulators seem to agree, The European Union’s General Data Protection Regulation (GDPR) puts the onus on enterprises to secure and keep track of the personal data they collect, process, store, and share. Furthermore, the regulation stipulates that organizations must notify the European Supervisory Authority and customers promptly in the event of a breach.
Financial regulators have increasingly held banks accountable for third-party issues. In New York, 23NYCRR 500 became effective March 1, 2017, now state regulators are now requiring financial firms to verify that their vendors’ cybersecurity measures are adequate.
Trust and verify
Even with the vendors you know and trust, a handshake is no longer enough; nor is a contract. Today, you must verify the trustworthiness of your third-party contractors and document that you have done so. How?
Assessments and audits are the most common methods of vendor verification. For many enterprises, an assessment will suffice—but not just any assessment. To get the most out of yours, I suggest you keep it simple.
Too often, organizations throw everything including the kitchen sink into their questionnaire, muddying their view of what is really going on. But in most instances the right questions are not being asked. Craft a meaningful assessment by asking yourself some questions first:
- What does this vendor do for my enterprise?
- Do they collect, process, or store customer or employee personal data on our behalf?
- What kind of access does it have to our data, systems, and networks?
- What are my chief security concerns with this particular vendor?
- How can I know if the vendor is protecting data to our standards?
- What happens to the data I share with this vendor?
- Can the vendor provide certifications to prove compliance with important frameworks and regulations?
- Which third parties does the vendor work with? What access do these have to your data?
- How does the vendor ensure security and compliance with its third-parties or subcontractors? A chain is only as strong as its weakest link.
Each set of questions will be unique not only to your organization, but also to each vendor you’re assessing, taking into consideration the nature of your relationship and what you think is important.
Quality, not quantity
Create your survey carefully and take a risk based approach. Remember that a human will be analyzing the results, and distractions could cause them to miss something critical. The more concise your questionnaire, with an emphasis on understanding how the vendor is using your data, the more readily you will be able to identify risks.
In some cases, you will want to audit a vendor. Vendor audits are a growing trend, although they can be a hassle. To make the task easier, find out if your vendor has SOC-2 or other relevant certification. If so, you can lay to rest many broad-based concerns you might have, and focus on what matters most to your company.
But if the data you’re sharing is particularly sensitive, or if you spot red flags in the survey phase, you may opt to conduct an audit. If you do, again, keep the process focused and specific. Don’t adopt a list-based approach but a risk-based one, considering your enterprise’s threats and concerns first, and looking to see how the vendor protects you or doesn’t.
Third-party vendors are no longer the exception, but the rule. As they proliferate, so will cybercriminals’ efforts to hack their databases, hoping that their systems are less secure than yours. Don’t let that be the case and most certainly don’t take a chance they your third-party vendors are secure and compliant…. Trust but verify!
Data is the new gold. Getting yours breached, no matter where it occurs, could cause staggering fines, penalties, and reputational damage. That is why, when it comes to protecting your data, the buck stops not with your third-party vendor—but with you.