Third-party breaches occur when sensitive data is stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems. In today's digital landscape, It's become standard practice to outsource business processes to vendors specializing in each particular function, whether that be via a SaaS vendor, third-party service provider, or contractor.
This post presents nine actionable tips for keeping your organization safe from third-party breaches.
What is a Third-Party Breach?
A third-party data breach refers to a data breach that has occurred through a third-party company. In a third-party data breach, the vendor or supplier’s system has been compromised and used to steal data that belongs to you.
These third parties aren't typically under your organization's control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.
A 2019 eSentire survey found that 44% of all firms surveyed had experienced a significant data breach caused by a third-party vendor. And the Cost of a Data Breach Report from IBM found that third-party involvement was one of the five biggest cost amplifiers, increasing the average cost by more than $370,000 to $4.29 million.
Top 9 Third-Party Breach Prevention Tips
To prevent the likelihood of third-party breaches, companies must begin taking steps to reduce their third-party risks. Here are some of the best tips for companies looking to lower the risk of a potential third-party breach or attack:
1. Assess Your Vendors For Before Onboarding
Onboarding third-party vendors who will have access to your network and sensitive data without measuring the cybersecurity risk they introduce is risky. Yet, too many organizations fail to perform adequate due diligence during the vendor selection process.
An easy way to assess a potential vendor without introducing operational overhead for your vendor management team is to use security ratings. Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests.
Security ratings let you instantly understand the external security posture of a potential vendor and what cyber threats they may be susceptible to. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, the reports can be shared with vendors and used to remediation issues.
With UpGuard Vendor Risk, you can quickly assess website risks, email security, network security, phishing & malware risk, and brand protection.
Because UpGuard measures externally verifiable controls, this pre-assessment can be done without requiring consent or work from a vendor. You can even benchmark and compare a vendor against their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate, real-time picture of the risk the vendor will introduce to your supply chain, without having to spend time completing costly risk assessments, penetration tests, or vulnerability scans.
Learn more about vendor risk assessments >
2. Incorporate Risk Management into Your Contracts
Make a practice of incorporating cyber risk into your vendor risk management program and vendor contracts. While this won't prevent a third-party data breach, it means your vendors will be held accountable should their security posture weaken.
Many of our customers incorporate security ratings into their contracts. For example, some stipulate that a vendor who processes personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.
We also recommend incorporating SLAs into your contracts so you can steer the cybersecurity risk management behavior of your vendors and reduce your cybersecurity risk. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 72 hours for high-risk issues. Additionally, consider adding the right to request a completed security questionnaire once per quarter as they can highlight issues that are missed by external security scanning.
3. Keep an Inventory of Your In-Use Vendors
Before you can adequately determine the risk your third-party vendors introduce, you need to understand who all your third-parties are, and how much is being shared with each of them.
Without an inventory of your third-party relationships, it's impossible to measure the level of risk vendors introduce. Despite this, only 46% of organizations perform cybersecurity risk assessments on vendors who handle sensitive data.
As simple as this sounds, it's not always easy to know all the vendors used by your organization. Especially if you work at a large organization.
This is where tools like UpGuard Vendor Risk can help. We can help you find and monitor your vendors using our instant vendor search. Our platform scans and scores millions of companies every day to give you instant access to vendor security ratings. If we don't currently monitor the company, you can easily add it to your monitored vendor list and we'll start scanning it from the moment you add it.
4. Continuously Monitor Vendors for Security Risks
A vendor's security posture can, and will, change over the course of your contract. That's why it's critical for you to continuously monitor their security controls over time.
The trouble is, most organizations don't continuously monitor their vendors. Instead, they rely on point-in-time assessments, such as audits or security questionnaires, which are typically only a snapshot of an organization's security posture.
There is definitely a place for these types of assessments as they highlight issues that are often missed by external scanning solutions, that's why UpGuard Vendor Risk has tools to help you automate security questionnaires.
However, they are not well placed as a continuous security monitoring solution which highlights vulnerabilities that could facilitate data breaches.
5. Collaborate With Your Vendors
While you can never fully prevent third-party unauthorized access, cyber-attacks, and security breaches, it's important to work collaboratively, not combative, with vendors to reduce risk and fix security issues quickly.
There are several UpGuard Vendor Risk features that support this process.
For example, you can use our Portfolio Risk Profile to prioritize the most critical risks across your vendor ecosystem and request remediation through our platform to ensure risks are resolved quickly and with an audit trail. This facilitates outreach and allows you and your vendor to understand what needs to be fixed and why it poses a risk to end-users and personal data.
6. Talk About Third-Party Risk
The highest-performing organizations (those who have been able to avoid a breach in the last year and those with mature risk management programs) have engaged leadership.
According to the Ponemon Insitute's Data Risk in the Third-Party Ecosystem report, 53 percent of respondents within high-performing organizations said they have board and executive-level engagement, compared to just 25 percent of respondents among organizations that have experienced a third-party data breach.
This engagement means that the leadership at the highest performers are aware of the importance of protecting confidential information, as well as increasingly stringent privacy practices driven by the introduction of general data protection regulation around the world, such as GDPR, LGPD, CCPA, FIPA, PIPEDA, and the SHIELD Act.
This generally they'll also understand the risks of poor operational security and oversharing on social media, which cybercriminals often exploit and use in spear phishing and whaling attacks.
This is why UpGuard Vendor Risk has in-built executive reporting, which includes:
- The average score of our vendors over time
- The distribution of your vendor scores
- Your highest and lowest scoring vendors
- The technologies most commonly used by your vendors
7. Cut Ties With Bad Vendors
If a small business or third-party vendor is unable to meet your standards, or if they've suffered from a ransomware attack or data breach, are you willing to cut ties? And if you are willing to, do you have the processes in place to successfully offboard the vendor without causing business continuity issues?
Lots of companies are good at onboarding vendors, but struggle to properly offboard them. The most secure organizations care about the details and understand that proper offboarding is an important part of third-party risk management.
If you're not sure which vendors pose the highest risk to your organization, consider signing up for a free seven day trial of the UpGuard platform. We'll be able to show you which vendors have the worst security posture.
8. Measure Fourth-Party Risk
As important as it is to understand your third-party risk, it's also important to know who your third-parties rely on. These organizations are known as your fourth-party vendors and they introduce fourth-party risk.
Just as organizations are quickly adopting multi-factor authentication, we see our best customers contractually requiring vendors to notify them when they share data with a fourth or fifth party. This allows them to track sensitive information sharing and better understand who has access.
UpGuard Vendor Risk's Concentration Risk module automatically detects your many of your fourth-parties and shows you which fourth-party vendor you have the most exposure to. This can help you plan for business continuity too. For example, if you know that 30 of your critical vendors rely on AWS, you may opt to chose other vendors who use Google Cloud Platform to spread out the risk that an outage at one of these cloud providers would result in you being unable to conduct business as usual.
Learn more about fourth-party risks >
9. Follow the Principle of Least Privilege (POLP)
Many third-party data breaches occur because the third-party is provided with more access than they need to do their job.
Consider investing in a robust role-based access control system that follows the principle of least privilege (POLP), the practice of limiting access rights for users, accounts, and computing processes to only those needed to do the job at hand.
Suggestions for Third-Party Security Requirements
It’s helpful to use an established cybersecurity framework or to draw on a cybersecurity framework to inform your information security policies for third parties. Doing so is an excellent way to make the requirements transparent and clarify why they are necessary.
For example, NIST is an excellent example of a cybersecurity framework. Trusted by businesses worldwide, NIST is flexible and can be adapted for many sectors and different business sizes. Among the security controls required by NIST, the following are key for any third party with whom a business is considering a partnership.
Download our free NIST compliance guide >
Access Control
Access control is a major component of the NIST framework, helping businesses define who has access to sensitive data. By limiting access to confidential information, firms can dramatically reduce their risks of data leaks and data breaches, passing those benefits onto their business partners. Not everyone needs access to critical or sensitive data. A system that provides and monitors privileged access can help keep firms accountable and reduce their attack vectors.
Identification and Authentication
For those with access to valuable data, identification, and authentication systems are essential for minimizing cyber risks.
Businesses managing third-party risk are advised to insist that their parties use robust authentication systems, such as multi-factor authentication (MFA). MFA can dramatically reduce hackers’ ability to access, modify, and/or steal valuable data.
Accountability and Auditing
To enforce minimum cybersecurity standards, third parties may need to agree to an auditing system, regularly proving to their partners or other interested parties that they are adhering to minimum viable cybersecurity standards to protect data.
Monitoring
Continuous security monitoring can give firms an accurate real-time view of their third parties vulnerabilities. It’s a good idea because while traditional audits are useful, they provide a static view of a constantly changing situation.
The cyber threat landscape changes from moment to moment, with cybercriminals seeking new vulnerabilities and developing new methods to exploit them. Businesses are also changing. Their policies evolve, staff and vendors may change, and they may introduce new workflow technologies. Adding a single device with unapproved software can lower a business’s security rating.
For these reasons, continuous monitoring is essential, especially considering the complexity of third-party and fourth-party risks throughout the supply chain. Businesses will benefit from being updated in real-time about changes to their business partners’ threat levels and their ability to manage cyber risks.
Incident Response
Ensuring that third parties have incident response plans should be a core component of any third-party risk management strategy. With a detailed incident response plan, a firm knows what to do in the increasingly likely event of a cyber attack or other cyber incidents.
The incident response plan should clearly state the contact details and responsibilities of the incident response team. Nonetheless, it must be written so anyone can follow the instructions.
Clarity and preparation ensure that the business can react promptly, professionally, and with sufficient security measures to limit damage, minimize business disruption, and provide a professional face for the public, peers, and media that may report the incident, all of which play a part in the potential extent of reputational damage as a result of a data breach.
Maintenance
Ensuring that your third-party cyber risk and security policy includes the concept of maintenance ensures that third parties meet your cybersecurity standards and maintain them over time.
Physical Protection
Technological solutions often eclipse physical security measures. Physical protection is important, however, because third parties can often put effective measures in place with relatively little time or cost compared to software or network-based cybersecurity solutions.
Physical protection might include ensuring that devices that store and process critical data are not left unattended. It might mean locking a door or drawer or using physical badges to identify staff and provide privileged access to some building areas.
Third parties, such as those in the retail sector, might increase the use of cameras and security guards around POS systems.
CCTV monitoring of entrances and car parks in a brick-and-mortar location may increase security and the ability to identify anyone who has attempted to breach a secure area or steal a device physically. Such physical security measures can improve a business’s security ratings and protect its clients and customers’ data.
Cybersecurity Awareness and Training
Training during the onboarding process can help businesses move toward better cyber risk governance and the development of a culture of cybersecurity. Whether in-person or via webinars, trainers can help staff appreciate the gestures and techniques that can make a massive difference to a business’s security posture.
A simple act like leaving a client’s name and phone number on a Post-It might seem harmless, but it can pose an information security risk and put an organization in breach of regulatory compliance.
Ensuring that every member of staff is aware that they are stakeholders in data security has never been more important than now, in the era of increasingly robust and demanding regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Cybersecurity Maturity Model Certification (CMMC) for government agencies and defense contractors.
Information Security Policies
Excellent security measures and procedures can suffer from not being applied consistently. For example, procedures and technology may differ between departments, especially in a larger organization, leading to security gaps, accountability issues, and compatibility problems.
Documented information security policies help ensure that every staff member follows the same rule book. This makes it easier for a security team to protect the integrity of networks and more effectively manage entire attack surfaces.
Risk Assessment
A business’s third parties should ensure it meets minimum cybersecurity requirements and do its due diligence to learn its vulnerabilities and cyber threats. Doing so will mean that the business can prioritize the development of cybersecurity maturity.
Businesses must appreciate that what works for one firm is not necessarily an effective approach for all businesses. With differences in culture, size, sector, geographical location, clientele, business age, cybersecurity maturity, attitude to risk, staff skills, and many other factors, all businesses need to look at cyber risks from their unique perspective to determine how to remediate vulnerabilities and which to tackle first.
Acquisition Policies, Processes, and Procedures
With a documented acquisition policy, businesses can ensure that when they onboard new vendors or use new technology, it will meet the approval of their business partners and not increase their risk exposure to an unacceptable level.
A supply chain attack through a software vendor can be devastating and wide-reaching, so securing the acquisition process can help reduce risks throughout the business ecosystem.
In addition to providing advice regarding the acquisition of new software and hardware, such policies may also cover training requirements to ensure that staff can use the new systems properly without dramatically increasing the risk of misconfigurations and data leaks.
Examples of Third-Party Breaches
Many of the world’s worst third-party breaches are associated with the healthcare industry but occur across all sectors, including financial institutions, governmental agencies, and critical infrastructure.
Trinity Health (2020 and 2021)
Trinity Health has suffered from major third-party data breaches for two consecutive years in 2020 and 2021.
In 2020, the records of 3.3 million patients were compromised when Blackbaud, the vendor that handled the backup of Trinity Health’s donor database, was the victim of a ransomware attack.
While Trinity Health managed to halt the attack, cybercriminals were able to exfiltrate sensitive data. The healthcare provider paid the ransom to avoid the data being sold or shared, but, as is always the case in such situations, there is no guarantee that those files will not surface on the dark web or elsewhere.
In 2021, Trinity Health suffered a second significant third-party data breach through a cyber attack on Accellion, which handled file transfers.
Data compromised included sensitive information and protected health information (PHI), including:
- Full names and contact details
- Dates of birth
- Financial information
- Medical record numbers
- Lab test results
- Healthcare providers
- Medications
- Medical claims
Broward Health (2022)
This security breach impacted 1.3 million patients. It is thought that it could have been prevented if the third-party medical provider had used multi-factor authentication (MFA) on a compromised device.
The security incident led to the compromise of personal data, including:
- Names and addresses
- Dates of birth
- Medical information
- Insurance information
- Driver’s license numbers
Morley Companies (2022)
Morley Companies is a third-party service provider that works with many businesses, including those in the medical sector. A ransomware attack in February 2022 compromised the records of more than half a million people.
In this case, compromised personal data and protected health information included:
- Names and addresses
- Client ID numbers
- Dates of birth
- Social security numbers
- Health insurance information
- Medical diagnostic information
- Medical treatment information
Mercedes-Benz (2014 - 2017)
It’s not only firms in the healthcare sector that need to manage third-party risks. All businesses across all sectors need to manage vendor risk to protect PII.
In June 2021, Mercedez-Benz released information about a data breach that spanned 2014 - 2017 and affected around 1.6 million records. The attack vector was the cloud storage platform of a third-party vendor.
Information on customers and potential buyers was leaked from websites, compromising the sensitive information of 1000 people. Compromised information may have included:
- Full names
- Emails
- Phone numbers
- Driver’s license numbers
- Credit card information
- Birth dates
- Data regarding purchased vehicles
SolarWinds (2020)
The SolarWinds supply chain breach is another excellent example of the far-reaching impact that cybercriminals can achieve via third-party vendors.
The SolarWinds hack affected more than 18,000 software users. Government agencies affected by the hack included:
- The Department of Commerce
- The Department of Defense
- The Department of Energy
- The Department of Homeland Security
- The Treasury Department
The functionality of many major private companies was also affected, including Microsoft, Intel, and Cisco. The cybersecurity incident affected national security and inspired the Trump administration to modernize the nation’s cybersecurity capabilities.
How UpGuard Can Help Prevent Third-Party Data Breaches
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.
The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks. Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Security Rating.
