December 14, 2020//Ellen NeveuxLast Updated: December 16, 2020
Way back in 2018, the Department of Defense (DOD) reported a data breach that affected at least 30,000 military and civilian personnel. Let’s take a stroll down memory lane to look at what happened in this data breach: hackers gained access through a third-party contractor that maintained travel records for the department. The breach compromised highly sensitive data including personal and financial information. Included in that was travel records, which are particularly delicate because this information can provide bad actors with detailed employee itineraries and all the way down to their airplane seat number.
And then in December 2020, news hit of the SolarWinds supply chain attack which affected (so far!) the US Treasury, the US National Telecommunications and Information Administration (NTIA), and FireEye. So, let’s break down what happened: hackers (expected to be from a foreign government) were able to deploy a malware-ridden update into their software that was able to infect some US companies and government networks. In other words, companies and government networks were hacked because of a software vendor they had in common. Again, this highlights the obvious threat all companies who work with vendors, contractors, and third parties have. With the proper actions, however, this threat can easily be minimized.
Unfortunately, both of these breaches shouldn’t come as a huge surprise. The DOD breach happened in 2018 and the FireEye/SolarWinds attack happened in 2020– we’re all still seeing the same headlines about new data breaches plaguing companies, and the public sector and government entities are no different. Back in 2018, it was noted that the issues related to this were: they weren’t proactive about preventing data breaches, they had poor password management, and they lacked encryption. But, even if the DOD, FireEye, the US Treasury, and the US NTIA had many of these best cybersecurity practices for its own organization in place, a network is only as strong as its weakest link– so if vendors aren’t being held to a secure standard, your network is always going to be at-risk. In these cases, the third-party vendor vulnerabilities were not secured. And here we are, two years later, still talking about data breaches that stem from a third party’s access because another one has made headlines.
It’s well past the time when all government entities, agencies, and anything in between takes notice and addresses the huge risk that third parties and vendors are to their cybersecurity position. It’s widely known and accepted that government, nonprofits, and the private sector entities usually have a phrase of “do more with less.” What that means is that quality, productivity, and turnaround time need to continue to improve, but budgets aren’t usually at that same level. So, like most companies, many of these organizations rely on using third parties or vendors to make this all possible.
However, as we can all see from the headlines of data breach reports is that usually the relationship between an enterprise and a vendor isn’t properly managed. This is because service providers are now firmly in the cyber criminal’s crosshairs because more often than not, vendors are given privileged credentials and access to multiple customer environments and are inherently trusted to store and protect confidential information. So, cybercriminals view service providers as treasure troves. This should come as no surprise to you since everything seems to be influenced by vendors– Marriott, TikTok, nearly every company, and, of course, Target. Here’s the thing– if you aren’t even allowing all internal employees to have privileged access, why are you allowing a vendor company, whose reps and techs you don’t hire or fire?
So yes, we can learn from our past mistakes, but learning is just the beginning. To prevent a data breach, each and every organization must take the necessary steps to protect themselves, their customers, their data, and their reputation.
Let’s face it, the relationships between vendors and enterprise organizations aren’t going away and weaknesses continue to be exploited to make headlines weekly. So, let’s look at ways organizations can reduce their exposure through some key best practices:
Organizations that leverage third-party services must follow these best practices in order to maintain a value-adding partnership with vendors. To learn more about how third-party data breaches have affected other companies, download our helpful eBook that maps out the top attack vectors, common phases associated with a third-party data breach, and the importance of implementing a vendor management program. Vendor access management tools should always incorporate security measures and facilitate credential management, multi-factor authentication, connection notifications, and real-time monitoring with comprehensive audit reports.