April 22, 2020//Ellen NeveuxLast Updated: April 12, 2021
When the event hit the news that the medical debt collector American Medical Collection Agency (AMCA) suffered a massive data breach last year, businesses from various industries were shaken. The personal data of around 24 million unknowing customers were compromised. This third-party vendor breach alone affected at least 23 healthcare organizations, three professional services firms, two business support entities, and a manufacturing company. What followed was a storm of numerous class action suits, hefty penalties, and fleeing clients which eventually ended in AMCA filing for bankruptcy.
The results were somewhere between significant financial loss, huge data compromise, and long-term brand damage. As studies have shown in the past, notably the Cost of Data Breach from IBM, these breaches can cost your company, on average, $4 million. But what’s not being talked about are the so-called “ripple effects” of your data being compromised by third-party vendors. Tracking at least 813 incidents since 2008, a study from cybersecurity think tank Cyentia Institute found that a single breach from a vendor that services at least 10 parties can cost companies at least 13 times more than an average single-party breach.
One key aspect in the Cyentia study, however, is the fact that more than a quarter of these breaches came from vendors catering to business support. Today, more organizations rely on outsourced support as businesses favor agility and leanness to better respond to market changes. The changing workforce and business process landscaped have increasingly aggregated data in the hands of third-party service providers.
This makes third-party vendors critical targets for hackers and fraudsters, as a single compromise can shore up information from multiple databases. Especially with businesses competing to secure cybersecurity talent for a long time now, most are increasingly reliant on third-party vendors for maintaining their own security. Maryville University highlights that this shortfall was 1.5 million globally in 2016, and today this number has grown to a staggering 4 million. To mitigate this, organizations rely on “out-of-the-box software” to stand in lieu of in-house talents. This perfect storm in an adopt-or-die environment has bred complacency, as TechRadar puts it, and is a threat that opens organizations to further attacks.
Regularly assess third-party vendors. Make a list of high impact vendors and rank them according to the sensitivity and volume of data they handle. Businesses today engage in at least 80 to 150 third-party vendors and assessing them all periodically will be resource-intensive. Instead, assess access risks by relevance.
Audit SLAs. Depending on your risk assessment, you should always put your service-level agreements (SLAs) on regular review. One thing that should be clear is the security protocols and specific conditions in place. Make sure the definitions of measurement standards and methods, reporting processes, contents and frequency, a dispute resolution process, and the indemnification clause reflect what’s good for your organization.
Manage vendor relationships. Continuous monitoring of your data and vendors’ access should be on top of your cyber priorities. Harvard Kennedy School lecturer Bruce Schneier blasts the assumed security of companies today from supply chains to ransomware security of outsourced processes. While this does not mean you should move back your services in house, you should be able to understand and have a clear picture of the risks involved.
To learn more about the importance of vendor risk management and why it should be embraced, check out SecureLink’s brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.