Vendor Risk: The Impact Of Data Breaches By Your Third-Party Vendors

Last updated by Kaushik Sen on November 5, 2018

UpGuard’s researchers regularly uncover and report on corporate data breaches. We often find that the breach is not directly caused by the company, but by one of their third-party vendors. This series of posts is about a less-understood aspect of vendor risk, data breaches by third-party vendors. We will run you through many types of data breaches, how they relate to your third-party vendors, and ultimately what you can do to prevent them from hurting your business.

So, maybe you work for a large multinational that outsources entire business functions? Or a small-medium business that runs its operations using SaaS (software-as-a-service) applications, paid for with a credit card? Using third-party vendors is now the rule, rather than the exception.

To provide value to your business, your vendors typically need access to at least some of your important data. From trade secrets through to API keys, you’re trusting your third-party vendors with sensitive data. By trusting your vendors with sensitive data, you’re then also taking on the associated vendor risk of a data breach.

There are many different kinds of sensitive data that can be exposed, each with their own particular exploits and consequences. 

System Credentials

Let’s start with “system credentials,” the data that grants access to other resources or capabilities. The impact of a credential breach is typically high and so is the associated risk level, as they are an enabler for attackers to compromise other, even more sensitive information.

By better understanding what types of system credentials exist, why they matter, and what the potential consequences of their exposure are, you can more effectively take action to control this information and prevent future data breaches.

Exposed credentials are a well-known form of data breach, but there are many different kinds of credentials, some more obvious than others, and the consequences of a breach will differ accordingly.

And finally, the data exposures we reference in these articles are found on the open internet, not the dark web. Our research corroborates that of other security experts, that the dark web is overestimated as a source of data breach information— by the time such data reaches the dark web, it has already been exploited.

Why does this matter? Because catching data exposures on the open internet is a proactive strategy to secure data before it gets in the hands of those who would try to profit from it on the dark web.

 

Vendor Risk from System Credentials

This series of six articles goes through the types of system credentials we’ve typically found through researching thousands of data breaches. We're going to update this post weekly, so please do check back regularly to read the latest articles.

 

What Steps Can I Take To Reduce The Risk?

You now know that your vendors could be exposing your business to risk in a number of ways:

  • By leaking data from your systems
  • By leaking data from their systems
  • By their vendors leaking data. These are your fourth-parties.

This is a pretty broad spectrum of risk. We highly recommend that you consider the potential for data leaks as critical component of your vendor risk management strategy.

A best practice approach (we're biased, it involves us) could look like this:

This is just one approach. You should do what is right for your business. But whatever you do, please don’t ignore the issue! In today's world, you are just one SaaS signup form away from a data breach. In 2018, a proactive vendor risk management strategy has become a critical requirement to stay in business, not just a nice-to-have foisted upon us by 'paranoid' Information Security managers.

Learn more about how you can control third-party vendor risk.

Download the buyer's guide to third party risk management