Nearly all companies rely on Third-Parties, for functions such as:
- SaaS and Cloud-hosted web services
- Cloud-based storage
- Equipment Maintenance
- HVAC servicing
- Outside Information Technology Services
- Outside experts such as litigation support, e-discovery, bookkeeping
- Photocopy and document preparation companies
- Cleaning services –Particularly if cleaning is performed after-hours and the company does not enforce a Clean Desk Policy, or access is not restricted in areas containing sensitive information.
Although a Third-Party can provide vital services, companies need to remain vigilant about their Third-Parties and the access granted to their organizational resources. In the event of a Third-Party incident, the consequences can prove significant, and include regulatory actions, damage to reputation, and a loss of revenue.
According to some recent studies conducted by the Ponemon Institute (an independent research center dedicated to privacy, data protection and information security policy, dated February 2022), approximately 60% of data breaches are linked to a Third-Party. In addition, approximately 54% of organizations do not have a comprehensive inventory of all Third Parties having access to their network, and 65% of organizations have not identified the Third Parties with access to their organization’s most sensitive data.
Some additional statistics:
- Eighty percent of companies surveyed have experienced a ransomware attack, despite spending an average of $6 million annually on ransomware mitigation resources.
- The average ransomware payment is approximately $1 million.
- Companies are spending $170,000 per ransomware incident on staffing, with an average of 14 staff members each spending 190 hours on containment and remediation activities.
- If a Third-Party causes a breach, the cost is estimated to rise by almost $400,000.
Why Are Third-Parties So Risky?
The risk is in the connection between a Third-Party and a client’s system, because access can be obtained to a number of systems, and importantly, sensitive data.
Third-Party remote access can become uncontrolled. Organizations may lose track of which Third-Parties were granted access. Changes in the Third-Party can occur, such as new hires, changes in company processes that accidentally expose the Covered Entity’s data to unintended people. A Third-Party can end up with more access than necessary. In short, when organizations give access to Third-Parties, they are widening their attack surface because any remote connection is an access point into a network for a hacker.
And even if the Third-Party doesn’t have direct network connectivity, the Covered Entity may have shared information with the Third-Party for which the Third-Party is storing and potentially transmitting it within their own environment.
Either way, it is critical that the Covered Entity actively understands what controls the Third-Party has in-place and whether those controls are being practiced and are effective. In short, it’s important to understand the Third-Party security risk to the Covered Entity and make educated decisions as to how that risk is going to be addressed.
Some Notable Third-Party Breaches
Description: SolarWinds develops software to help businesses manage their networks, system, and information technology infrastructure. SolarWinds is a Third-Party for many organizations, including numerous federal government agencies.
Hackers who appear to be associated with nation-state hacking group Cozy Bear, part of the SVR arm of Russian intelligence services, accessed the development operations of SolarWinds, and inserted malware into a software update that SolarWinds distributed in March 2020. Once installed, the malware connected to a network belonging to the hacking group, allowing company network access to the hacking group. This attack was effective, since the software permitted access to attack all of the network hosts.
Third-Party breaches are often successful because Third-Parties, including vendors, suppliers, contractors, or business partners may have weaker security controls than the organization they provide services to.
Description: Cybercriminals exploited vulnerabilities in Accellion’s File Transfer Appliance, which is used to move large and sensitive files within a network, to expose private data such as Social Security numbers and banking information. The victims included Reserve Bank of New Zealand, the state of Washington, grocery chain Kroger, the University of Colorado, and the cybersecurity firm Qualys.
Audi and Volkswagen, 2021
Description: The Volkswagen Group of America, Inc. was notified that its vendor had left unsecured data on the Internet between August 2019 and May 2021 that had been accessed by an unauthorized party. The breach affected 3.3 million customers. The exposed data varied from contact information to Social Security numbers and loan numbers.
Description: The REvil ransomware group exploited a vulnerability in Kaseya VSA, a remote monitoring and management software platform. Kaseya shut down both the on-prem and cloud SaaS servers as a precautionary measure, and later it was revealed that as many as 1,500 companies worldwide were affected. Following the attack, REvil demanded a $70 million payment in bitcoin to decrypt all the systems. The incident caused a complete shutdown of businesses, and was termed the largest ransomware attack in history. Fortunately, the majority of companies did not pay the ransom because backups had not been deleted, and data was not stolen.
What if One of these Companies is YOUR Third-Party?
Since Third-Parties are often easier to infiltrate than larger organizations, the majority of data breaches begin with them. Consequently, it is important to implement a robust Third-Party Security Risk Management program, so that companies understand every Third-Party vendor involved, and can assess their security methods.
How To Implement a Third-Party Risk Management Program
- Inventory all Third-Parties having access to company resources. Document their business function and level of access. Determine the risk associated with the Third Party access into vital company resources. We typically like to tier your Third-Parties by anticipated risk level.
- Review Third-Party security risk on a regular basis. This should also be done before onboarding each new Third-Party and/or granting any Third-Party remote access. For non-performers or those that provide too much risk, decisions need to be made as to how that is going to be dealt with. Such decisions could include: discontinuing service with that Third-Party, significantly limiting the data that the Third-Party has access to, and encouraging and/or forcing cybersecurity control compliance with the Third-Party, etc.
- Implement permissions via least privileged access. Restrict permissions to only the application or system needed so a Third-Party is unable to access other areas of the network.
Reach out to Vestige to learn more about the security risks involved with 3rd parties and implement a crucial Third-Party Risk Management (TPRM) Program today. CONTACT US to discuss your company needs.
By Mary Brewer, MBA, BS, AAS