The Scariest Breach – Your ‘Trusted’ Partners – Part One
This is Part One of a two-part blog on the risks of third-party data breaches. Part Two provides suggestions from cybersecurity experts on how you can proactively manage this growing problem.
According to Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.
Security issues surrounding partners, contractors, suppliers, and third-party stakeholders have been in the news quite frequently. A problem that has typically been overlooked but, hopefully, this increased hullabaloo will cause executives’ eyes to be opened and organizational plans made, to address the who, what, and where of corporate information that may be compromised or exposed, either intentionally or unintentionally. Another to-do item to add to your security plan. You do have one, don’t you?
Why is it so important? Well it’s obvious – damage to your reputation or your brand, exposure of your trade secrets, occurrence of data breaches over which you have no control, and, of course, the financial and legal repercussions. According to Soha Systems’ survey on third-party risk management, 63 percent of all data breaches are linked in some way to third parties, such as contractors, suppliers, or vendors that have access to business systems. Unfortunately, the problem adds another layer of complexity to security challenges. If you think you have a stellar cybersecurity plan, think again – third-party data breaches are probably the weakest link in your data management chain.
- Look at the Target breach that impacted 40 million people. The initial intrusion into its systems was traced back to network credentials that were stolen from a third-party heating, ventilation, and air conditioning (HVAC) vendor.
- A transcriptionist vendor for Orlando Orthopaedic Center made an error during a software upgrade, which resulted in the exposure of 19,101 patient records, and this wasn’t reported for two months.
- Best Buy, Sears, Kmart, and Delta were all hit by the same malware because they used the same chat and customer service vendor that was infected. The number of records exposed is still unknown.
- MyFitnessPal was hacked earlier this year, sending parent company Under Armour’s shares down 3 percent. Approximately 150 million user accounts were hacked. The vulnerability was introduced through an acquired business unit. This was the largest hack in 2018, according to Reuters.
- And the list goes on – Chili’s, Applebees, MyHeritage Genealogy Site – 92 million customers, Universal Music Group, Saks Fifth Avenue, Corporation Service Company, Cambridge Analytica, Ticketmaster, and all those other organizations that have never reported a breach, or don’t know about one yet.
Third-party breaches also hit your wallet – they are now the most expensive incidents for both large and small organizations. This year, the average cost of a third-party data breach reached $120,000 for small and midsize businesses – 36 percent higher than in 2017, at $88,000. For large enterprises, the average impact of a breach is up to $1.23 million – a 24 percent increase since last year, according to DARKReading.
We develop software that provides automatic multi-term metadata generation, the ability to auto-classify the data, and tools for you to manage the data. Why does this help alleviate the problem? Because we find the needles in the haystack, in other words, your unknown vulnerabilities. Once found, they can be protected, security access can be verified, and remediation or redaction executed. In fact, because we generate metadata that captures the content in context, we can even prevent portions of a document being shared with third parties.
Along with our parent company Netwrix, we can now offer added security functions, enabling you to proactively identify the transmission or hijacking of data that may contain sensitive or privacy information. By analyzing end-user behavior before the breach, you can prevent it. Of course, if you are using our conceptClassifier platform, the breach probably won’t happen in the first place.
Read Part Two of this blog to see some of the suggestions by cybersecurity experts to successfully tackle this growing issue.