In today’s interconnected business landscape, companies of all sizes outsource many of their operations to third-party vendors. This also means giving those contractors access to some or all of your data, including Application Programming Interface (API) keys, sensitive customer information, and other confidential data.
Third-party vendors, suppliers, and partners have become an indispensable part of most organizations. The problem? Cybercriminals are well aware of this, making third-party vendors a strategic target for them.
What Is a Third-Party Breach?
A third-party breach refers to a situation where your confidential data is stolen from a third-party vendor in possession of that data; or when the vendor’s systems are used to gain unauthorized access to steal sensitive information stored on your systems.
A Ponemon Institute and SecureLink study found that 51 percent of organizations have experienced one or more data breaches caused by a third party. Remediating the damage of such attacks costs organizations an average of $7.5 million.
According to CDNetworks, small businesses, healthcare institutions, government agencies, energy companies, and higher education facilities are the five sectors that are at most risk from cyber threats, especially ransomware attacks. Business owners must take a more active approach to minimize data breaches, especially if they operate in any of those high-risk sectors.
What Are the Types of Data Breaches?
Physical breach
A physical breach arises from the physical theft of documents or equipment containing cardholder account data (files, personal computers, point-of-sales systems). Items at risk include:
- External hard drives;
- Desktop computers and laptops;
- Technologies containing cardholder data, such as point-of-sale equipment;
- Any physical assets containing confidential data, including credit card receipts, blank checks, or hard-copy bills.
Electronic breach
An electronic breach arises from unauthorized access or deliberate attack on a network or system where confidential information is processed, stored, or transmitted. It commonly results from a hacker getting access to a system’s vulnerabilities through application-level attacks on web servers or websites.
Skimming
Skimming is a process where the hacker uses an external device to capture and record the magnetic stripe data on the back of credit cards. Sometimes, the device is installed on a merchant’s point-of-sale system without the merchant’s knowledge.
Hackers do this to collect data and use it to create counterfeit credit and debit cards.
How Do We Protect Sensitive Information Handled and Stored by Third-Party Vendors?
Sensitive information is confidential data that must be stored securely and kept out of reach from all outsiders unless they have permission to access and use it. This includes educational records, customer information, corporate intellectual property, and personal data such as health data and confidential information.
Here’s how to protect your organization’s sensitive data handled and stored by third-party vendors:
Choose your vendors carefully
Onboarding third-party vendors and giving them access to your network and sensitive data without assessing the level of cybersecurity risk they introduce is risky. Despite that risk, many companies still fail to perform adequate due diligence during the vendor selection process.
Viewing a potential vendor’s security ratings can be a great starting point to vet its security. Security ratings allow you to determine the vendor’s external security posture, as well as potential security threats. This reduces the operational burden on third-party risk management (TPRM) teams during vendor selection, due diligence, onboarding, implementing, and monitoring. Plus, you get access to reports that you can share with vendors for remediation.
Incorporate risk management into your contract
Incorporating cyber risk into your vendor risk management program and vendor contracts is a recommended practice.
While this won’t prevent a third-party data breach, it will hold vendors accountable should their security posture weaken. For instance, you can require that a vendor who processes customer data or credit cards must maintain a security rating above 900, or risk termination of the contract.
Incorporating Service-Level Agreements (SLAs) into your contract so that you have greater control over your vendors’ cybersecurity risk management behavior also works. Consider using language that requires your vendors to communicate or even remediate any security issues within a specific time period (for example, 72 hours for high-risk issues).
You may also include the right to request a completed security questionnaire every quarter, to highlight security issues missed by external security scanning. Then incorporate those issues into the contract.
Maintain an inventory of your in-house vendors
One cannot measure the level of risk a vendor introduces to your environment if you don’t know that vendor exists and is operating within your extended enterprise. Hence every organization should maintain an inventory of its third-party vendors.
Keeping an inventory may sound simple, but knowing all vendors used by your organization isn’t easy, especially if you work at a large organization. As such, you should consider using sophisticated tools that make it easier for vendor management.
Continuously monitor vendors for security risks
Your vendors’ security posture can (and will) change throughout the contract. That’s why you have to continuously monitor their security controls.
Many organizations rely on point-in-time assessments, such as security questionnaires and audits, instead of continuously monitoring their vendors. Point-in-time assessments do help, but they are only snapshots of an organization’s security posture at that moment.
On the other hand, a continuous security monitoring solution will provide a real-time assessment of your vendors’ information and data security controls.
Use the principle of least privilege
Business owners often make the mistake of granting more access to a third party than it really needs to do the job. Seventy-four percent of data breaches were caused because of giving too much privileged access to third parties.
To avoid this, you need security policies that include a robust role-based access control system that follows the principle of least privilege (POLP). That principle limits access rights for users, accounts, and computing processes to only those needed to do the job at hand.
What Are Some of the Challenges of Protecting Sensitive Information Handled by Third-Party Vendors?
Businesses generate sensitive information – employee records, customer details, loyalty schemes, and more – that must be protected to prevent data from being misused by third parties for fraud, such as identity theft and phishing scams.
Data protection involves assessing the risks from any source and mending weaknesses throughout your entire company and its network. Third-party vendors need their own security protocols for greater visibility into potential issues, and to make third-party vendor risk management more effective.
Having certain security protocols such as due diligence, third-party risk assessments, and audits will help save a significant amount of time and resources.
For instance, if your company is bound by regulations like the Health Insurance Portability and Accountability Act (HIPAA), you don’t want to hire a data storage company that doesn’t use high-level encryption. You want a vendor that understands these regulations and is willing to adapt to meet them.
That said, protecting sensitive information handled by third-party vendors isn’t easy. Here are the key challenges and how to overcome them:
Knowing your data and obligations
Data privacy laws differ in the types of data they actually protect. While some protect specific kinds of information (financial data, health data), others are more flexible in their approach. Many data privacy laws also treat encrypted or secured data differently.
So be aware of the data you collect, and the regulatory compliance obligations you have for that data.
Vetting different vendors
Organizations must assure that their vendors accessing sensitive information can adequately protect it. They can do this by asking questions to eliminate potential vendors that cannot or will not comply with your specific requirements.
Various elements come into play when choosing the right vendors.
You need to consider Service Organization Control (SOC) reports, have the appropriate administrative, technical, and physical safeguards in place, and find out about the vendors’ data backup and retention policies. You should also know whether the vendor wants to subcontract any of your work, and if it does, whether your vendor can effectively monitor the subcontractor’s risks.
Regular monitoring
Due diligence and contractual safeguards will mean nothing if you cannot then monitor the ongoing behavior of your vendor. Its compliance and security practices could change suddenly, or your needs might change and the vendor can no longer meet your requirements. So building effective procedures to monitor third party behavior is critical.
Manage Your Third-Party Vendor Risks With Reciprocity
As your business grows, third-party vendor risks will too.
Reciprocity’s ZenGRC can improve vendor relationships and remove the burden on your internal teams with simple and automated third-party risk management. You can use the software to create efficient vendor questionnaires and evaluate and compare different vendors by collecting individual responses and risk scores over time.
Visit our risk product page to learn more and stay ahead of ever-evolving security threats.