What is Vendor Risk? The Big Impact of Third-Party Breaches

What is Vendor Risk? The Big Impact of Third-Party Breaches

Kaushik Sen
Kaushik Sen
updated Aug 24, 2021

UpGuard’s researchers regularly uncover and report on corporate data breaches. We often find that the breach is not directly caused by the company, but by one of their third-party vendors. This series of posts is about a less-understood aspect of vendor risk, data breaches by third-party vendors. We will run you through many types of data breaches, how they relate to your third-party vendors, and ultimately what you can do to prevent them from hurting your business. Third-party vendors are common targets of industrial espionage.

So, maybe you work for a large multinational that outsources entire business functions? Or a small-medium business that runs its operations using SaaS (software-as-a-service) applications, paid for with a credit card? Using third-party vendors is now the rule, rather than the exception.

To provide value to your business, your vendors typically need access to at least some of your important data. From trade secrets through to API keys, you’re trusting your third-party vendors with sensitive data. By trusting your vendors with sensitive data, you’re then also taking on the associated vendor risk of a data breach.

There are many different kinds of sensitive data that can be exposed, each with their own particular exploits and consequences. 

System Credentials

Let’s start with “system credentials,” the data that grants access to other resources or capabilities. The impact of a credential breach is typically high and so is the associated risk level, as they are an enabler for attackers to compromise other, even more sensitive information.

By better understanding what types of system credentials exist, why they matter, and what the potential consequences of their exposure are, you can more effectively take action to control this information and prevent future data breaches.

Exposed credentials are a well-known form of data breach, but there are many different kinds of credentials, some more obvious than others, and the consequences of a breach will differ accordingly.

And finally, the data exposures we reference in these articles are found on the open internet, not the dark web. Our research corroborates that of other security experts, that the dark web is overestimated as a source of data breach information— by the time such data reaches the dark web, it has already been exploited.

Why does this matter? Because catching data exposures on the open internet is a proactive strategy to secure data before it gets in the hands of those who would try to profit from it on the dark web.

What Steps Can I Take To Reduce Vendor Risks?

You now know that your vendors could be exposing your business to risk in a number of ways:

  • By leaking data from your systems
  • By leaking data from their systems
  • By their vendors leaking data. These are your fourth-parties.

This is a pretty broad spectrum of risk. We highly recommend that you consider the potential for data leaks as critical component of your vendor risk management strategy.

A best practice approach (we're biased, it involves us) could look like this:

This is just one approach. You should do what is right for your business. But whatever you do, please don’t ignore the issue! In today's world, you are just one SaaS signup form away from a data breach. In 2018, a proactive vendor risk management strategy has become a critical requirement to stay in business, not just an optional capability proposed by Information Security managers.

Are You at Risk of a Third-Party Breach?

UpGuard can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.

UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.

Test the security of your website, CLICK HERE to receive your instant security score now!

Free eBook

Understanding and Addressing Vendor Risk

Learn about common attacks like man-in-the-middle attacks, phishing, domain hijacking, malware, and insider threats.
UpGuard logo in white
Understanding and Addressing Vendor Risk
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape