December 14, 2020//Tori TaylorLast Updated: May 13, 2022
Way back in 2018, the Department of Defense (DOD) reported a data breach that affected at least 30,000 military and civilian personnel.
Let’s take a stroll down memory lane to look at what happened in this data breach: hackers gained access through a third-party contractor that maintained travel records for the department. The breach compromised highly sensitive data, including personal and financial information. Included in that were travel records, which are particularly delicate because this information can provide bad actors with detailed employee itineraries and all the way down to their airplane seat number.
And then in December 2020, news hit of the SolarWinds supply chain attack which affected the US Treasury, the US National Telecommunications and Information Administration (NTIA), and FireEye.
So, let’s break down what happened: hackers (expected to be from a foreign government) were able to deploy a malware-ridden update into their software that was able to infect some US companies and government networks.
In other words, companies and government networks were hacked because of a software vendor they had in common. Again, this highlights the obvious threat all companies who work with vendors, contractors, and third parties have. With the proper actions, however, this threat can easily be minimized.
Unfortunately, both of these breaches shouldn’t come as a huge surprise. The DOD breach happened in 2018 and the FireEye/SolarWinds attack happened in 2020– we’re all still seeing the same headlines about new data breaches plaguing companies, and the public sector and government entities are no different.
Back in 2018, it was noted that the issues related to this were: they weren’t proactive about preventing data breaches, they had poor password management, and they lacked encryption. But, even if the DOD, FireEye, the US Treasury, and the US NTIA had many of these best cybersecurity practices for its own organization in place, a network is only as strong as its weakest link– so if vendors aren’t being held to a secure standard, your network is always going to be at-risk. In these cases, the third-party vendor vulnerabilities were not secured.
And here we are, two years later, still talking about data breaches that stem from a third party’s access because another one has made headlines.
It’s well past the time when all government entities, agencies, and anything in between takes notice and addresses the huge risk that third parties and vendors are to their cybersecurity position.
It’s widely known and accepted that government, nonprofits, and the private sector entities usually have a phrase of “do more with less.” What that means is that quality, productivity, and turnaround time need to continue to improve, but budgets aren’t usually at that same level. So, like most companies, many of these organizations rely on using third parties or vendors to make this all possible.
However, as we can all see from the headlines of data breach reports is that usually the relationship between an enterprise and a vendor isn’t properly managed. This is because service providers are now firmly in the cyber criminal’s crosshairs because more often than not, vendors are given privileged credentials and access to multiple customer environments and are inherently trusted to store and protect confidential information.
So, cybercriminals view service providers as treasure troves. This should come as no surprise to you since everything seems to be influenced by vendors– Marriott, TikTok, nearly every company, and, of course, Target. Here’s the thing– if you aren’t even allowing all internal employees to have privileged access, why are you allowing a vendor company, whose reps and techs you don’t hire or fire?
So yes, we can learn from our past mistakes, but learning is just the beginning. To prevent a data breach, each and every organization must take the necessary steps to protect themselves, their customers, their data, and their reputation.
Let’s face it, the relationships between vendors and enterprise organizations aren’t going away and weaknesses continue to be exploited to make headlines weekly. So, let’s look at ways organizations can reduce their exposure through some key best practices:
In all strategic planning, policies, and procedures it can’t be a sub-bullet, add-on, or afterthought. Along the same lines, the responsibility should not be housed in a stand-alone department.
Cybersecurity is every employee’s business. Some of this is common sense, such as not opening attachments on emails, guarding and changing passwords, and ensuring encryption is the standard. The important thing is to also ensure that you’re not only paying attention to internal resources when thinking of cybersecurity.
Everyone you work with, whether it’s a technology vendor or a contractor for writing, lives up to the same standards you have put in place for your company.
Ensuring you do your research before the selection of vendors is critical. At the top of the list must be their security policies and capabilities.
Did you know that 61% of data breaches and attacks are attributed to a third party or vendor? Without clear visibility into remote access to networks and third-party systems, it can be hard to know if a current or potential vendor may be vulnerable or compromised.
Make sure you identify possible red flags, so you can take steps to protect your network from cyberattacks and other threats to your data. And this shouldn’t only happen when you’re employing new vendors. You should, ideally, check in on your vendors and their different protocols monthly or quarterly.
Remember, you hired a vendor company and not their different reps, so it’s important to have complete control over access, all the way down to the individual. Utilize vendor access management tools that restrict users’ access to only the systems and activity needed.
Auditing network activity will provide vendor accountability, ensure regulatory compliance, and provide an early-warning system of emerging vulnerabilities. Instead of pointing the fingers at all vendor companies you work with, you will be able to say what vendor company and what rep caused the issue. This takes the guesswork out of the breach or cyberattack.
Organizations that leverage third-party services must follow these best practices in order to maintain a value-adding partnership with vendors.
To learn more about how third-party data breaches have affected other companies, download our helpful eBook that maps out the top attack vectors, common phases associated with a third-party data breach, and the importance of implementing a vendor management program.
Vendor access management tools should always incorporate security measures and facilitate credential management, multi-factor authentication, connection notifications, and real-time monitoring with comprehensive audit reports.