Data breaches are cybersecurity events that can harm a company’s reputation, finances, and compliance. Far too often these days, breaches are caused by a company’s third parties – and they can also cost an awful lot of money to repair the damage.
For example, in 2019 two breaches on Facebook data arose from third parties mishandling information on Facebook’s behalf. The first 540 million records were in misconfigured AWS S3 buckets. Similarly, At The Pool leaked information about 22,000 Facebook users, including unprotected passwords and email addresses.
In 2020, cybercriminals exploited vulnerabilities within Accellion’s (now known as Kiteworks) File Transfer Appliance, which transmits large, sensitive files across a network, to leak sensitive data such as Social Security numbers and financial services and information. Some organizations affected were the Reserve Bank of New Zealand, the University of Colorado, Qualys, and the State of Washington.
According to a report by Ponemon Institute, slightly more than half of all organizations have suffered a data breach caused by a third-party vendor. In today’s interconnected world, third-party risk management must be a top priority as hackers continue to exploit vulnerabilities and poor information security practices across networks.
What Are the Most Common Types of Data Breaches?
The most common attacks come from ransomware, phishing schemes, and SQL injections.
Ransomware Attacks
Ransomware is malware that encrypts data on a device or network, and the attacker then demands payment to give over the decryption key. Initially these types of cyberattacks weren’t often related to data breaches. Lately, however, ransomware-as-a-service (RaaS) has emerged and made these attacks a threat to companies’ data protection strategies.
In addition to encrypting an organization’s information, RaaS schemes also extract the compromised data, which is then used to exert further pressure on companies. For example, hackers threaten companies to publish all information obtained (especially confidential or customer data) if the attackers don’t receive the ransom payment.
Phishing Schemes
Phishing attacks are a social engineering approach that can lead to several potential organizational threats. First, the attackers pose as legitimate parties, trying to dupe employees into sharing access credentials so the attackers can then extract data. Targeted phishing attacks (“spear-phishing,” where the attacker poses as a supervisor within your organization) also extract customer data and sensitive information.
SQL Injections
SQL injections are cybersecurity threats that exploit vulnerabilities in your IT infrastructure to execute requests in your database. These incidents can result in the forced extraction of sensitive information or customer data from your database, in addition to database deletion.
What Are the Top Reasons for Third-Party Breaches?
Like cyberattacks, third-party data breaches can happen for numerous reasons. Even so, there are common causes that can help you to evaluate your vendor security posture before engaging in third-party relationships.
Unpatched Security Vulnerabilities
No software application is perfect; developers issue security patches and updates to protect IT systems. Security teams must implement security automation and policies with strict software and application patch guidelines. These security policies must apply internally and externally to all service providers and third-party relationships.
Human Error
These errors can range from misusing personal data to falling victim to a phishing attack. Your third-party risk assessment should evaluate each vendor’s security controls to prevent data breaches and raise cybersecurity awareness within their organizational remote work culture.
Malware
Malware can have different effects on your company. Some can remain hidden within your network while extracting information. Other malware can be a backdoor for hackers to gain privileged access to your network and execute downstream attacks.
Your third-party risk management program should consider the risk of these threats on your infrastructure and the protection your third-party vendors have against these threats.
What Are the Consequences of a Third-Party Vendor Breach?
Data breaches can cause enormous disruption to an organization’s automation operations and reputation. The consequences are shared even when your business is not directly at fault for these events. The effects of third-party data breaches are similar to a data breach within your organization.
Financial Impact
A report from International Business Machines (IBM) and the Ponemon Institute found that the average cost of a data breach rose from $3.86 million in 2020 to $4.24 million in 2021. Moreover, the financial harm of these events is amplified in third-party data breaches, reaching an average cost of $4.33 million.
Legal Consequences
Depending on the data protection regulations governing your company, you may experience downstream legal liability for data breaches by your third parties.
For example, when the American Medical Collection Agency (AMCA) suffered a data breach in 2019, its healthcare clients were noncompliant with the Health Insurance Portability and Accountability Act (HIPAA). This event resulted in various class-action lawsuits and state investigations.
Reduced Competitive Advantage
Recent ransomware attacks have demonstrated the operational harm of these kinds of threats, disrupting companies’ internal processes. Data breaches can disrupt your supply chain, causing further inconvenience and added costs for your organization. A third-party vendor’s unauthorized disclosure of patents and trade secrets can cause you to lose that competitive advantage.
Reputational Damage
When a data breach occurs, public opinion doesn’t care if your vendor is at fault because, in customers’ eyes, you are responsible for their data. As a result, your customers’ trust will be considerably affected if their information is exposed, either directly by you or through a third-party data breach.
What’s the Average Cost of a Data Breach?
According to the 2022 cost of a data breach study from IBM and the Ponemon institute, the average cost of a data breach has increased to a record high of $4.35 million. The Ponemon Institute and IBM Security research considers hundreds of cost elements, including loss of brand value, customer churn, and a drain on staff productivity, as well as legal, regulatory, and technical efforts.
That said, since every company and sector have different exposures and risk variables, estimating how much a data breach might cost your company can be difficult. Businesses can, however, educate themselves on the most influential factors in the cost of a breach, and how those figures vary depending on your specific industry and company size.
Real-world Examples of Devastating Data Breaches
Hospital at Brighton and Sussex University
The theft of thousands of patient records in 2010 resulted in a £325,000 sanction for Brighton and Sussex University Hospital. According to reports, the private information, including medical results, was listed for sale on eBay. In this case, the criminal gained access to private information by snatching hard disks intended to be destroyed.
The Brighton and Sussex Hospital incident illustrates how vulnerable physical devices can be. Companies may avoid trashing external devices carelessly, or move their data to a cloud-based storage solution.
In 2021, roughly 165 million user accounts on the social media site LinkedIn had their personally identifiable information (PII) stolen due to a data breach. Since then, it has been shown that the data is for sale on the dark web.
Weak user passwords and LinkedIn’s inability to “salt” the data were both factors in the data breach, which cost the firm more than £3 million to remediate. This is one of the most noteworthy data leak common causes.
Salting is the addition of a random string of characters known only to the site to each password before it is hashed.
We must consider how encryption and passwords protect our data in light of LinkedIn’s catastrophic data leak.
Quora
In 2018, one hundred million Quora members’ personal information was stolen, including:
- Sensitive account information
- User website actions
- Direct messages
The data of millions of users was compromised after an unauthorized third party got access to one of the website’s systems. It is yet unclear how the hackers broke into the system.
What Can We Do to Protect Our Data from Third-Party Breaches?
Companies must embrace a robust risk management policy and evaluate their risk landscape to respond to data breaches and protect against them. Following these best practices is imperative to assure you are working with third parties that take cybersecurity seriously.
Vendor Risk Assessments
Determining the level of risk that a vendor represents for your company should be the first step before onboarding a third party. This assessment is crucial to avoid noncompliance because some regulations, such as HIPAA and the GDPR (Europe’s General Data Protection Regulation), require that your vendors handle data according to the same rules you follow.
Inventory Third-Party Vendors
Before you can determine the risk posed by the vendors you use, you need to identify the number of third parties and the specific information you share with them. Without this inventory of your third-party relationships, you cannot assess the risk to your company in any helpful way.
Monitor Vendor’s Risks
The security posture of your third parties will change over time, so you must keep track of these changes. In addition, the modifications your vendors make to their security controls directly affect your third-party risk level. Implement continuous monitoring measures for your vendors and periodic audits.
Limit Access
Sometimes third parties have more access to your information than they need. This unnecessary access can lead to avoidable risks.
Using the Principle of Least Privilege (POLP) assures that your vendors only have access to the information required to perform their duties. At the same time, a zero-trust system minimizes risks related to human error and accidental loss of devices linked to your network. Together, these two systems are fundamental for any data protection program.
ZenRisk Can Help You Keep Track of Third-Party Risks
Managing third-party risks is a complicated, difficult endeavor. Implementing a solid governance, risk, and compliance (GRC) solution makes compliance and risk management a breeze.
ZenRisk is a centralized, integrated third-party risk solution that monitors risks across your business. Don’t waste time with time-consuming spreadsheets when ZenRisk offers a single source of truth to expedite testing and audit management across your established standards.
Whether improving an existing supplier risk management program or creating one from scratch, ZenRisk’s user-friendly interface is scalable. In addition, it comes pre-loaded with templates and compliance frameworks for quick implementation.
ZenRisk manages the vendor questionnaire process by streamlining distribution and collection. It will even aggregate results and assign risk scores to each vendor, giving you visibility to high-risk areas.
This software-as-a-service assures that your organization complies with regulatory and industry standards such as System and Organization Controls 2 (SOC 2) and International Organization for Standardization.
(ISO), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act(HIPAA), and California Consumer Privacy Act (CCPA). Furthermore, it runs self-audits with a single click and preserves your audit reports for quick accessibility during audit time.
Contact us for a free demo and get started with worry-free third-party risk management.