UpGuard’s researchers regularly uncover and report on corporate data breaches. We often find that the breach is not directly caused by the company, but by one of their third-party vendors. This series of posts is about a less-understood aspect of vendor risk, data breaches by third-party vendors. We will run you through many types of data breaches, how they relate to your third-party vendors, and ultimately what you can do to prevent them from hurting your business.
So, maybe you work for a large multinational that outsources entire business functions? Or a small-medium business that runs its operations using SaaS (software-as-a-service) applications, paid for with a credit card? Using third-party vendors is now the rule, rather than the exception.
To provide value to your business, your vendors typically need access to at least some of your important data. From trade secrets through to API keys, you’re trusting your third-party vendors with sensitive data. By trusting your vendors with sensitive data, you’re then also taking on the associated vendor risk of a data breach.
There are many different kinds of sensitive data that can be exposed, each with their own particular exploits and consequences.
Let’s start with “system credentials,” the data that grants access to other resources or capabilities. The impact of a credential breach is typically high and so is the associated risk level, as they are an enabler for attackers to compromise other, even more sensitive information.
By better understanding what types of system credentials exist, why they matter, and what the potential consequences of their exposure are, you can more effectively take action to control this information and prevent future data breaches.
Exposed credentials are a well-known form of data breach, but there are many different kinds of credentials, some more obvious than others, and the consequences of a breach will differ accordingly.
And finally, the data exposures we reference in these articles are found on the open internet, not the dark web. Our research corroborates that of other security experts, that the dark web is overestimated as a source of data breach information— by the time such data reaches the dark web, it has already been exploited.
Why does this matter? Because catching data exposures on the open internet is a proactive strategy to secure data before it gets in the hands of those who would try to profit from it on the dark web.
Vendor Risk from System Credentials
This series of six articles goes through the types of system credentials we’ve typically found through researching thousands of data breaches. We're going to update this post weekly, so please do check back regularly to read the latest articles.
- Part 1 - The Pitfalls of Leaked Administrative Passwords
- Part 2 - Don’t Use Production Data in your Test Environment: The Impact Of Leaked Test Credentials
- Part 3 - Why You Should Secure Your Third-Party Application Credentials
- Part 4 - Risks From Exposing Your Database Connections
- Part 5 - Third-Party Vendor Risk From API Keys
- Part 6 - The Impact Of Leaked Certificates and Private Keys
What Steps Can I Take To Reduce The Risk?
You now know that your vendors could be exposing your business to risk in a number of ways:
- By leaking data from your systems
- By leaking data from their systems
- By their vendors leaking data. These are your fourth-parties.
This is a pretty broad spectrum of risk. We highly recommend that you consider the potential for data leaks as critical component of your vendor risk management strategy.
A best practice approach (we're biased, it involves us) could look like this:
- Start proactively monitoring your own company's technology and cyber security posture. Use UpGuard Core to control your internal systems, and UpGuard BreachSight to monitor your external exposures.
- Use a formal process to onboard your third-party vendors, and continuously monitor their risk levels to your business through a combination of automated security ratings and vendor security questionnaires, with a product like UpGuard CyberRisk. You can learn more about this topic in our brief history of vendor scoring.
- Finally, probe even deeper to understand your fourth-party vendors, their associated risks and your exposure to them. UpGuard CyberRisk takes care of this too.
This is just one approach. You should do what is right for your business. But whatever you do, please don’t ignore the issue! In today's world, you are just one SaaS signup form away from a data breach. In 2018, a proactive vendor risk management strategy has become a critical requirement to stay in business, not just a nice-to-have foisted upon us by 'paranoid' Information Security managers.
Learn more about how you can control third-party vendor risk.