Companies have enough problems battling internal cybersecurity risks without worrying about third-party security issues.
Unfortunately, third-party cybersecurity breaches occur more frequently than one might think. Just ask security officials at Target Corporation, Marriott Corp., and the U.S. Office of Personal Management – all of which experienced severe third-party cyber breaches during the past decade.
While those high-profile brands are the biggest targets, third-party breaches happen to companies of all sizes, with severe outcomes – and the resulting damage is onerous.
According to a recent study by the Poneman Institute , the average financial loss stemming from a third-party security attack is $13 million (that includes the impact on a company’s brand and reputation, along with loss of customers and, for publicly-traded companies, a negative hit to a company’s stock prices.)
How can companies establish a bulwark against potential third party breaches? The good news is that when companies establish an ongoing policy of serious third-party security review, third-party security risks decline exponentially.
Here are the best steps in getting the job done, third-party security-wise.
Know exactly who has access to your data (and the level of access.) Keep close tabs on third-party providers who gain access to your company’s systems and data.
That should be a priority even if a business provider is a trusted long-term partner. It’s important that cybersecurity managers understand that third-party business partners may not possess the same high standards of security, even though they have full “insider privileges” with complete system access. Those scenarios deserve close scrutiny on an ongoing basis.
Learn from other companies’ experiences. Hopefully, your firm hasn’t had to deal with a third-party cyber-attack.
If you have, learn from the experience. If you haven’t, learn from the breaches other companies have experienced. Talk to industry peers, attend all the cyber-security conferences you can, and listen to industry podcasts to learn how companies cleaned up after a third-party cyber security event.
It’s also highly advisable to conduct a thorough, nuts-and-bolts security review and test and retest all of your firm’s cybersecurity policies and lines of defense. Make sure your third-party partners are consulted and in the loop every step of the way. By learning and testing together, your company can significantly reduce the chances of being victimized by a third-party security breach.
Know your business partner’s business partners. In 2020, a host of major travel platforms, including Hotels.com and Expedia, had more than 10 million customer data records exposed after an industry software partner suffered a massive data breach. The damage was extensive, with industry companies suffering tens of millions of dollars in damage.
The breach was indicative of most major third-party software breaches in that the companies slammed by the cyberattack apparently didn’t know (or didn’t know enough about) how their business partners were storing customer data.
In the cybersecurity industry, such “Nth party risk” occurs more often than risk managers may realize, as third-party vendors share data with third-party business partners down the line, largely without the knowledge and security policy enforcement measures in place needed to properly secure customer data.
In that scenario, travel industry heavyweights may not have known exactly who was sharing their customer data, but that didn’t matter – ultimately, it’s the responsibility of the primary company to secure customer data – even if third-party companies are directly responsible for a cyberattack.
Thwart “unforced errors.” Some third-party cyber breaches result from unforced errors that can fairly easily be remedied. In the case of Health Share of Oregon, customer data records were exposed in 2020 after an independent third-party contractor’s workplace was broken into and a laptop containing client Medicare records was stolen.
Any cybersecurity risk manager should take a hard look at security policies that allow contractors to take valuable company data offsite, which significantly heightens the risk of company data being compromised. Compliance managers should create and enforce strict physical security policies – Fixed Disk Encryption on all contractors’ digital devices is a good place to start – that protects client data when it leaves the workplace.
The Takeaway on Curbing Third-Party Cybersecurity Risks
Negative outcomes from third-party security risks are abundant, with data breaches, fraud and theft, compliance issues, and damage to a company’s professional brand topping that list.
These risks are not always easy to uncover, so a security-minded company needs to think and act aggressively to protect its reputation against security and compliance violations.
After all, once a company’s data is breached, its reputation is breached, too.
Make no mistake, both are difficult to fix once you’ve lost them – and the recent cascade of high-profile third-party security breaches are a good example of that.