Many organizations today rely on partners, vendors, and third parties to conduct day-to-day operations. In doing so, these groups often either have access, impact the security of, or interact with the organization’s critical data. These parties are a cyber risk that requires attention.
Some of the more recent notable breaches because of a vendor or third party illustrate the risk:
- GE suffered a breach from what most would consider a low-risk third-party with their human resources document management vendor.
- A healthcare organization had a breach in 2020 via a laptop stolen from a contractor. Over 650,000 records containing patient Medicaid data were exposed when the contractor’s offices were burglarized and the laptop was stolen.
- A massive data breach of more than 235 million records affected multiple social media giants, exposing their usernames, contact and other personal information, pictures, and statistics about their account. The breach appears to have come from DeepSocial, a now-defunct social media data broker.
- Another multiple customer breach happened when these aerospace and auto companies had data exposed via Visser, a relatively unknown parts vendor.
- Expedia, Hotels.com, and other travel sites suffered data breaches via Prestige Software. This Spanish software developer left over 10 million records from their large hotel booking website clients in an exposed AWS S3 data bucket.
These are only a few recent examples. Here are five tips to protect your organization/clients:
- Maintain an inventory of all your vendors and third parties and include what they can access or what data you share with them.
- Confirm that your contract language includes how they validate their cybersecurity practices. They should provide a copy of their attestations from independent auditor(s), such as a SOC report or ISO certification. The attestation should be reviewed by a cybersecurity consultant to verify that it provides sufficient assurances based on the level of risk. For example, SOC audits can be very limited, so you would want confirmation that the scope of the attestation included the appropriate controls.
- Consider using a GRC management tool. Managing the inventories, contracts and attestations from numerous third-parties can become difficult to track manually.
- Consider using a third party risk tool. There are numerous tools out there now that will perform automated assessments against all your vendors and report a score back, make sure those scores stay in the acceptable range.
- Do this exercise annually and follow up with vendors who may be lacking in their cybersecurity responses.