If you know anything about cyber security, you are probably well aware of the 2017 data breach at Equifax that exposed the sensitive financial and personal data of roughly 150 million Americans. But did you know that it wasn’t directly caused by a flaw in Equifax’s cyber security? The hackers were able to access Equifax’s data on Equifax’s corporate servers due to a security flaw in an open source web application called Apache Struts.
The 2017 Equifax breach is a perfect example of what security experts call third party risk. Third party risk is the threat that occurs not from the organization’s own servers, but from outside third parties such as vendors, contractors, or others in the organization’s supply chain. Typically, these third parties will have access to an organization’s sensitive data, and if their security standards are less robust, it will leave that organization extremely vulnerable to hackers.
Why is Third Party Risk Underestimated?
There’s a well known safety issue in the sport of extreme mountaineering that if an expert is put in charge of a group of beginners in a dangerous climb, the chances of an accident are relatively low, but if a group of experts were to attempt the same climb in the same conditions, the chances of an accident increase significantly. At first, this sounds backwards. How could that possibly be?
When the expert is in charge of the beginners, they know they are fully responsible for everyone’s safety. They know the risk is high and it is incumbent upon themselves only to make sure everyone returns from the climb safely, so the proverbial t’s get crossed and i’s get dotted with strict attention to detail. In other words, there is full accountability.
When the experts go out together, the guards get dropped. Each expert is thinking that since they have been on this climb dozens of times with beginners without incident, certainly nothing can happen this time. All parties assume that not only will each individual be able to take care of themselves but will be looking out for the safety of everyone else as well. The clear accountability becomes opaque, and then disappears completely.
This is how the Equifax breach occurred. Equifax assumes that the Apache Software Foundation was doing its due diligence in putting out a safe and secure product. Apache Software Foundation was assuming that the security professionals at Equifax would install the security patches in a timely manner, every time.
Of course, that didn’t happen. The security flaw in Apache Struts was discovered weeks earlier. Although a patch was soon available to fix it, it was never relayed how urgent it was, as Apache Software assumed everyone would install the fix immediately, as would be standard procedure for every firm. In other words, there was no accountability.
Another reason that third party risk is often underestimated is that many of these third party vendors tend to be smaller and less sophisticated than their large fortune 500 clients. A huge company, like Target, who was victim to an infamous breach in 2013, would have a robust cyber security department. But just as in the previous cases we have discussed, the hackers didn’t get in through Target’s systems, it was a small third party vendor that left Target’s data vulnerable.
Recent Examples of Third Party Risk
Just this year alone there have been several high profile cases of damaging third-party data breaches. In March, Volkswagen Group of America, Inc learned that unsecured data was on the internet between August 2019 and May 2021 and had been accessed by an unauthorized party. According to documents filed with the California and Maine Attorneys’ General Offices, Volkswagen Group of America, Inc disclosed that it was a vendor who left unsecured data exposed on the Internet. 3.3 million Audi customers had their contact information, complete with Social Security numbers and loan numbers, compromised over the course of several months.
Leaving sensitive data exposed on the Internet is a common yet highly preventable mistake. To help protect their customers’ data, organizations should be sure to double check that their vendors are storing it securely. The breach could have been disastrous for Volkswagen Group of America, Inc. Similar cases have led to lawsuits, fines, and especially loss of customer loyalty.
To the public, the fact that the breach was caused by a third party vendor was irrelevant. The public perception was that VGoA left their customers’ data unsecured. This is an example of Reputational Risk, which arises from negative public opinion caused by a third party’s actions. No one remembers the name of the vendor, if they ever heard it at all, but people will be highly unlikely to forget that their data was stolen while in the hands of VGoA.
In another case earlier in 2021, there was unauthorized access to the protected health information of 8,000 oncology patients at Cancer Centers of Southwest Oklahoma. The information exposed included names, Social Security numbers, addresses, birthdays, and details about medical diagnoses and treatments. The breach was discovered when a third party vendor, Elekta, noticed unusual activity on its network.
Cybercriminals have targeted charities and hospitals in the past, which goes to show there is no bar that is too low for these criminals to stoop to. The lesson here is that every organization is a potential target.
Best Practices for CISOs
Hackers and cyber criminals are well aware that often the best way to break into systems is to use a vulnerability in a third-party. It is crucial for CISOs to adapt to this risk and take appropriate action. Organizations should put together a best practices protocol for working with third party vendors, review and update the policies as needed, and most importantly, make sure that all employees in the organization and vendors know and are following the policies.
Analyzing your vendor’s cyber security risk before and during onboarding is one of the most important measures you can take to keep your data safe. Double check the vendor’s cyber security policies and protocols for performing a thorough assessment of their cyber security vulnerabilities. This must be done before providing the vendor with access to your organization’s data.
It is crucial for a CISO to understand the third party’s security protocols. CISOs must ask questions before onboarding. Do you store data in the cloud? Will the data be transmitted over an unencrypted connection? Will copies of the data be stored on mobile devices? These are all important questions to ask.
Once the vendor is onboarded, another best practice is to limit a vendor’s access to your organization’s data. There is no need to provide every vendor with access to all of your data. Each vendor should only have access to exactly what they need and no more.
It is also crucial to regularly monitor your vendors’ cyber security protocols. Hackers are always coming up with new and sophisticated techniques for bypassing security controls. it is essential that you and your vendors constantly keep their security protocols and controls updated as well.
Employees also have access to lots of confidential and sensitive information, which can cause significant damage if compromised. To keep this data secure, it is essential to make sure that your employees are vigilant enough to prevent this data from getting leaked. They should know the consequences of sharing confidential data with outsiders, regardless of whether they are trusted vendors or loyal customers. Organizations should provide their employees with cyber security awareness training to make them cyber aware and responsible.
Third parties can cause security breaches, but third-party relationships are necessary for many organization functions. Fortunately, there are practices that companies and organizations can follow to improve their third-party security. By taking security measures like monitoring risk factors and third-party inventory, your organization can avoid the possible issues that can arise from these partnerships.
The bottom line is that third-party risk has become as critical as first-party risk. It is imperative that CISO’s establish and maintain clear lines of communication with vendors regarding cybersecurity. As we have seen, breaches often occur as the result of poor communication and a lack of clear accountability between organizations and their vendors.
When these breaches occur, often the organization that had its data stolen is subjected to lawsuits, not the third party that allowed the breach to happen. In addition, no one remembers the name of the third party, at least among the general public. Everyone will remember the organization that had its data stolen, though, and that leads to harm to their reputation that can severely cripple a business. Equifax and Volkswagen are perfect examples of that. It wasn’t their mistake that directly caused the problem, but ultimately they paid the price.
It is crucial that CISOs have strict protocols in place to assess and mitigate third party risk. Understanding a third party’s cyber security practices before and during onboarding, limiting sharing of or access to data to only what is necessary, and constant monitoring are crucial steps an organization can take to mitigate risk. And perhaps most importantly, just like the mountaineering experts in an avalanche prone mountain peak, clear communication, not taking anything for granted, and full accountability are of the utmost importance.
Contact Wisr Today!
Wisr is a thought leader in this industry and continues to refine technologies to keep up with the landscape of cyber threats. The investment is worth the peace of mind alone.
To learn more about how we can protect your SMB from the worst-case scenario, reach out to our team of experts here today!
References:
https://panorays.com/blog/the-5-most-notable-third-party-data-breaches-of-2021-so-far/
https://redriver.com/security/target-data-breach
https://securityboulevard.com/2021/06/third-party-data-breaches-a-rising-threat/
https://healthitsecurity.com/news/elekta-data-breach-leaks-patient-info-at-oklahoma-cancer-center
https://www.csoonline.com/article/3634375/6-steps-for-third-party-cyber-risk-management.html
