These days, companies of all sizes are outsourcing many of their operations to third party vendors. In order for these subcontractors to do their jobs, they must gain admission to some or all of your data, including things like API keys and sensitive customer information stored in the cloud. Once you entrust access to the contents of your network to outside entities, you have no choice but to take on the additional risk of sustaining a third party data breach.
Sensitive Data That Can Be Exposed
Your systems hold a great deal of content that can be exploited during cyber attacks. Some examples include the following:
- Administrative passwords
- Production data credentials that are leaked during testing
- Exposed database connections
- API keys
- Private keys and certificates.
The impact of a breach of your system credentials can be devastating since it opens the door to all manner of other intrusions and data targeting.
How to Guard Against Third Party Data Breaches
Either inadvertently or on purpose, vendors can do great harm to the information with which you have entrusted them. They could cause data to be leaked from your systems; they could release your data from their systems, or their own “fourth party” vendors could compromise your information. It is incumbent on your company to mount security defenses to prevent or at least guard against all of these breaches. A cybersecurity best practices strategy generally includes the following measures:
- Preemptively monitor your business’s security environment and posture. This examination should include automated tools that regularly look into all internal technology and applications as well as any external exposures you might have. Be especially careful to note all vendors, focusing on what systems and data each can access and why. This is the time to close down any unnecessary privileges.
- If leadership is not already on board, enlist their buy-in. Without adequate investment of time and staff resources, your security posture will slump.
- Using a formal set of processes and protocols, get your third party vendor companies involved in the process.Relevant tools to accomplish this monitoring include security ratings, vendor questionnaires and a security scorecard. If these partners are unwilling to participate in your cyber health plan or if they have experienced a breach recently, consider cutting ties.
- Utilize the same score questionnaires and other monitoring technology to scrutinize the fourth party partners with whom you indirectly interact. This is the best way to learn about potential sources of attack so that you can secure your systems against the latest threats associated with contractors.
What to Do If an Attack Should Occur
The news that no one wants to hear is that your business has experienced a data breach caused by one of your third party vendors. The key is to respond immediately and comprehensively by doing the following:
- After the threat has been identified, take immediate action to contain and neutralize it in both companies. If you can stop the bleeding in less than a month, studies show that you will save at least $1 million.
- Mount a forensic investigation to check what records were compromised and from where the breach originated. You and the third party vendor can then plug the leaks, eliminate vulnerabilities and make your entire ecosystem as secure as possible. If you do not already have these in place, one important security strategy is to install firewalls and implement network segmentation to keep outside intruders from usurping your data defenses.
Today, recent experience with retailer data breaches such as those suffered by Target and Home Depot has revealed that it is just as important to avoid system attacks from third party vendors and their own partners as it is to guard against data theft from hackers. To that end, it is crucial that you create and institute a third party vendor risk management plan. This strategy should detail exactly what each vendor can access, the tools and techniques in place to monitor all parties and what happens if a breach occurs, including liability.
All existing partners should accept the plan retroactively, and any new businesses should be required to agree to the terms before they are brought on board. Although the risks of threats and breaches can never be totally eliminated, creating and maintaining this dynamic structure can go a long way toward protecting the security of your all-important data and applications.