A third-party data breach refers to a data breach that has occurred through a third-party company. In a third-party data breach, the vendor or supplier’s system has been compromised and used to steal data that belongs to you.
A third party can be defined as an organization with which your organization has entered into a business relationship to provide goods, access, or services for your use. Critical third parties are companies that require access to sensitive data to provide that service, which increases a company’s attack surface and can put them at extreme risk should the vendor become breached or attacked.
It’s vital to anticipate and prepare for third-party data breaches since nearly all modern businesses operate within a supply chain. Businesses outsource to make the most of efficiencies and to provide the IT infrastructure and services that keep them operational. This necessity increases attack surfaces and increases cyber risk.
Businesses need to look beyond the “four walls of their enterprise.” With outsourcing and increasing risks from digitization and interconnectivity, businesses need to consider their business ecosystem to protect sensitive data from cyberattacks and data leaks.
Third-Party Risk Management Challenges
In 2022, it was found that one or more third parties had been involved in about a 20% of all data breaches. Furthermore, the financial impact of these security breaches was discovered to be greater than that of a regular breach when factoring in the costs of reputational damage, business disruption, and share price value.
A significant challenge facing third-party vendors is that they are massive targets for hackers. Third-party service providers typically process and store customer data for a large number of clients. This data might include financial details, credit card information, and social security numbers.
Third-party risk management (TPRM) can be challenging because getting visibility into another firm’s workflow and operations can be difficult. Third-party service providers may not always be subject to the same compliance standards as the company contracting them. Using a specialist cybersecurity firm, however, a business can perform a pre-assessment to gain information regarding a potential partner’s security posture without requiring their consent or activity on the part of the vendor.
This is useful because sometimes firms insist they have excellent security standards when that is not the case. Without complete transparency regarding their security controls, your business will need to do some monitoring or lean on an external third-party risk assessor's expertise to ensure potential partners are safe to integrate into your business ecosystem.
How to Reduce Third-Party Breach Risk
To prevent the likelihood of third-party breaches, companies must begin taking steps to reduce their third-party risks. Here are some of the best tips for companies looking to lower the risk of a potential third-party breach or attack:
Create Third-Party Risk Management (TPRM) Programs
Like the drive for a strong cybersecurity culture, building out a third-party risk management (TPRM) program is a highly effective method for reducing third-party breach risk. TPRM processes encompass everything from end-to-end, including attack surface reduction, compliance management, cost analysis, and security performance.
Ponemon’s report entitled Data Risk in the Third-Party Ecosystem points out that more than half of survey respondents with high-performing organizations had engaged with third-party risk management at the board and executive levels, meaning that third-party security must be a priority for company and business leaders and not just the IT team.
Firms that appreciate the importance of third-party risk remember to consider the entire business ecosystem. This helps them prepare for the potential impact of cyber attacks against their business partners and supply chains.
Establish Minimum Security Controls for Third Parties
Businesses must establish a set of minimum cybersecurity controls for their third-party vendors and suppliers. Setting requirements for their desired cybersecurity standards or framework can significantly reduce the risk of a possible third-party breach.
For vendors that do not meet minimum security standards, businesses can either work with them to improve their cybersecurity defenses or move on to more secure third parties with lower risk.
Most businesses have systems for onboarding vendors, but when it comes to managing third-party risk, it’s wise to develop processes for offboarding third-party vendors. While doing so can improve security posture and reduce exposure, a business needs to be able to do it in a way that does not cause costly business disruption.
Build Third-Party Accountability
Once businesses have established their cybersecurity standards for partners, they must hold third parties accountable. This means making third-party responsible for upholding the established minimum security measures and using key security metrics contractually as part of the annual review process.
Note that third parties should be required to maintain these minimum cybersecurity standards. While there are targets to meet, the ever-changing cyber threat landscape makes cybersecurity a journey that requires continuous auditing, monitoring, assessment, and adjustments to ensure the continued minimization of vendor risk and the protection of customer information.
With this in mind, businesses would be wise to include clauses in their contracts with business partners that require them to remediate security issues within a specific time frame.
Perform Vendor Due Diligence Assessments
The time to assess a third-party vendor or solution provider is during the procurement and assessment period. Performing vendor due diligence is essential to minimize the risk of the partner compromising your business and clients and identify the biggest risks and areas of potential compromise.
A risk assessment identifies the most likely risks and those that could do the most damage. With this information, firms can make better decisions about remediating issues and protecting confidential information. If it’s found that a potential vendor has too many critical risks that could severely impact the business, it may be best to avoid that vendor or work with them heavily to remediate those risks.
Use Security Ratings
It’s useful to have a standardized system to assess third parties. Security standards are helpful because they allow the assessor to compare potential partners and understand how each would potentially impact the firm’s security posture.
With security ratings, a Chief Information Security Officer (CISO) can quickly gain an overview of the third party’s security posture and identify the biggest risks to which each external firm is most susceptible and what they have done to remediate their vulnerabilities. This is critical because those issues pose a risk to their supply chain.
Security ratings provide a clear way to explain cybersecurity risk to non-technical stakeholders and decision-makers, including the C-suite, which is increasingly involved in cybersecurity, recognizing it as an operational issue rather than an IT problem.
Furthermore, accessible, documented, and transparent security standards keep everyone on the same page. Firms that wish to partner with you know what they must do to earn your business and maintain your confidence. Likewise, firms displaying their security standards to you clearly wish to keep their business ecosystem safe from disruption and data breaches by cybercriminals.
Keep an Accurate Inventory of Vendors
Many firms have trouble keeping track of and monitoring their third-party vendors, which makes them more exposed to vendor risk. They are less able to defend themselves if they don’t know where their risks are coming from.
While it’s essential to draw a line and ensure that a business performs due diligence going forward, it’s also critical to get a handle on its existing vendors. This may be relatively straightforward for a small business but can be significantly more complicated for an enterprise-level organization.
The risks faced and posed by vendors are changeable. Emerging threats and changes to business operations mean that security postures are not fixed. So a system for continuous third-party risk monitoring over time is required to make sure that vendors remain within acceptable parameters when it comes to the potential for third-party data breaches. An audit is only a snapshot of an organization’s security posture.
Nonetheless, or rather, because of these challenges, creating and maintaining an inventory of third parties, their security postures, and risk profiles is essential to protecting a business, its staff, and its customers and clients.
Measure Fourth-Party Risk
An extension of third-party risk lies with the vendors of the vendors, otherwise known as fourth-party risk. Fourth parties are often unknown to businesses, which can pose a breach risk if they are an important part of the supply chain to the third-party vendor. If the fourth party has access to even a small portion of critical data, those businesses must follow the same minimum security requirements that the third parties adhere to.
Suggestions for Third-Party Security Requirements
It’s helpful to use an established cybersecurity framework or to draw on a cybersecurity framework to inform your information security policies for third parties. Doing so is an excellent way to make the requirements transparent and clarify why they are necessary.
For example, NIST is an excellent example of a cybersecurity framework. Trusted by businesses worldwide, NIST is flexible and can be adapted for many sectors and different business sizes. Among the security controls required by NIST, the following are key for any third party with whom a business is considering a partnership.
Access control is a major component of the NIST framework, helping businesses define who has access to sensitive data. By limiting access to confidential information, firms can dramatically reduce their risks of data leaks and data breaches, passing those benefits onto their business partners. Not everyone needs access to critical or sensitive data. A system that provides and monitors privileged access can help keep firms accountable and reduce their attack vectors.
Identification and Authentication
For those with access to valuable data, identification, and authentication systems are essential for minimizing cyber risks.
Businesses managing third-party risk are advised to insist that their parties use robust authentication systems, such as multi-factor authentication (MFA). MFA can dramatically reduce hackers’ ability to access, modify, and/or steal valuable data.
Accountability and Auditing
To enforce minimum cybersecurity standards, third parties may need to agree to an auditing system, regularly proving to their partners or other interested parties that they are adhering to minimum viable cybersecurity standards to protect data.
Continuous security monitoring can give firms an accurate real-time view of their third parties vulnerabilities. It’s a good idea because while traditional audits are useful, they provide a static view of a constantly changing situation.
The cyber threat landscape changes from moment to moment, with cybercriminals seeking new vulnerabilities and developing new methods to exploit them. Businesses are also changing. Their policies evolve, staff and vendors may change, and they may introduce new workflow technologies. Adding a single device with unapproved software can lower a business’s security rating.
For these reasons, continuous monitoring is essential, especially considering the complexity of third-party and fourth-party risks throughout the supply chain. Businesses will benefit from being updated in real-time about changes to their business partners’ threat levels and their ability to manage cyber risks.
Ensuring that third parties have incident response plans should be a core component of any third-party risk management strategy. With a detailed incident response plan, a firm knows what to do in the increasingly likely event of a cyber attack or other cyber incidents.
The incident response plan should clearly state the contact details and responsibilities of the incident response team. Nonetheless, it must be written so anyone can follow the instructions.
Clarity and preparation ensure that the business can react promptly, professionally, and with sufficient security measures to limit damage, minimize business disruption, and provide a professional face for the public, peers, and media that may report the incident, all of which play a part in the potential extent of reputational damage as a result of a data breach.
Ensuring that your third-party cyber risk and security policy includes the concept of maintenance ensures that third parties meet your cybersecurity standards and maintain them over time.
Technological solutions often eclipse physical security measures. Physical protection is important, however, because third parties can often put effective measures in place with relatively little time or cost compared to software or network-based cybersecurity solutions.
Physical protection might include ensuring that devices that store and process critical data are not left unattended. It might mean locking a door or drawer or using physical badges to identify staff and provide privileged access to some building areas.
Third parties, such as those in the retail sector, might increase the use of cameras and security guards around POS systems.
CCTV monitoring of entrances and car parks in a brick-and-mortar location may increase security and the ability to identify anyone who has attempted to breach a secure area or steal a device physically. Such physical security measures can improve a business’s security ratings and protect its clients and customers’ data.
Cybersecurity Awareness and Training
Training during the onboarding process can help businesses move toward better cyber risk governance and the development of a culture of cybersecurity. Whether in-person or via webinars, trainers can help staff appreciate the gestures and techniques that can make a massive difference to a business’s security posture.
A simple act like leaving a client’s name and phone number on a Post-It might seem harmless, but it can pose an information security risk and put an organization in breach of regulatory compliance.
Ensuring that every member of staff is aware that they are stakeholders in data security has never been more important than now, in the era of increasingly robust and demanding regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Cybersecurity Maturity Model Certification (CMMC) for government agencies and defense contractors.
Information Security Policies
Excellent security measures and procedures can suffer from not being applied consistently. For example, procedures and technology may differ between departments, especially in a larger organization, leading to security gaps, accountability issues, and compatibility problems.
Documented information security policies help ensure that every staff member follows the same rule book. This makes it easier for a security team to protect the integrity of networks and more effectively manage entire attack surfaces.
A business’s third parties should ensure it meets minimum cybersecurity requirements and do its due diligence to learn its vulnerabilities and cyber threats. Doing so will mean that the business can prioritize the development of cybersecurity maturity.
Businesses must appreciate that what works for one firm is not necessarily an effective approach for all businesses. With differences in culture, size, sector, geographical location, clientele, business age, cybersecurity maturity, attitude to risk, staff skills, and many other factors, all businesses need to look at cyber risks from their unique perspective to determine how to remediate vulnerabilities and which to tackle first.
Acquisition Policies, Processes, and Procedures
With a documented acquisition policy, businesses can ensure that when they onboard new vendors or use new technology, it will meet the approval of their business partners and not increase their risk exposure to an unacceptable level.
A supply chain attack through a software vendor can be devastating and wide-reaching, so securing the acquisition process can help reduce risks throughout the business ecosystem.
In addition to providing advice regarding the acquisition of new software and hardware, such policies may also cover training requirements to ensure that staff can use the new systems properly without dramatically increasing the risk of misconfigurations and data leaks.
Examples of Third-Party Breaches
Many of the world’s worst third-party breaches are associated with the healthcare industry but occur across all sectors, including financial institutions, governmental agencies, and critical infrastructure.
Trinity Health (2020 and 2021)
Trinity Health has suffered from major third-party data breaches for two consecutive years in 2020 and 2021.
In 2020, the records of 3.3 million patients were compromised when Blackbaud, the vendor that handled the backup of Trinity Health’s donor database, was the victim of a ransomware attack.
While Trinity Health managed to halt the attack, cybercriminals were able to exfiltrate sensitive data. The healthcare provider paid the ransom to avoid the data being sold or shared, but, as is always the case in such situations, there is no guarantee that those files will not surface on the dark web or elsewhere.
In 2021, Trinity Health suffered a second significant third-party data breach through a cyber attack on Accellion, which handled file transfers.
Data compromised included sensitive information and protected health information (PHI), including:
- Full names and contact details
- Dates of birth
- Financial information
- Medical record numbers
- Lab test results
- Healthcare providers
- Medical claims
Broward Health (2022)
This security breach impacted 1.3 million patients. It is thought that it could have been prevented if the third-party medical provider had used multi-factor authentication (MFA) on a compromised device.
The security incident led to the compromise of personal data, including:
- Names and addresses
- Dates of birth
- Medical information
- Insurance information
- Driver’s license numbers
Morley Companies (2022)
Morley Companies is a third-party service provider that works with many businesses, including those in the medical sector. A ransomware attack in February 2022 compromised the records of more than half a million people.
In this case, compromised personal data and protected health information included:
- Names and addresses
- Client ID numbers
- Dates of birth
- Social security numbers
- Health insurance information
- Medical diagnostic information
- Medical treatment information
Mercedes-Benz (2014 - 2017)
It’s not only firms in the healthcare sector that need to manage third-party risks. All businesses across all sectors need to manage vendor risk to protect PII.
In June 2021, Mercedez-Benz released information about a data breach that spanned 2014 - 2017 and affected around 1.6 million records. The attack vector was the cloud storage platform of a third-party vendor.
Information on customers and potential buyers was leaked from websites, compromising the sensitive information of 1000 people. Compromised information may have included:
- Full names
- Phone numbers
- Driver’s license numbers
- Credit card information
- Birth dates
- Data regarding purchased vehicles
The SolarWinds supply chain breach is another excellent example of the far-reaching impact that cybercriminals can achieve via third-party vendors.
The SolarWinds hack affected more than 18,000 software users. Government agencies affected by the hack included:
- The Department of Commerce
- The Department of Defense
- The Department of Energy
- The Department of Homeland Security
- The Treasury Department
The functionality of many major private companies was also affected, including Microsoft, Intel, and Cisco. The cybersecurity incident affected national security and inspired the Trump administration to modernize the nation’s cybersecurity capabilities.