November 10, 2020//Ellen NeveuxLast Updated: November 24, 2020
Data breaches that involve third parties, vendors, and contractors have continued to make headlines throughout the past 10 years. We continue to see headlines, see articles on social media, and we’ve all become numb to getting the letters in the mail about another data breach. But, more often than not, you hear about the doctor’s office that was breached (or retailer, government, or pretty much any type of enterprise in between), but you don’t always hear about the third party or vendors’ access that caused the said breach, or any other form, of a cyberattack.
Let’s give a common example and one that we still talk about, even 7 years later: the Target data breach. But, when we talk about the Target breach, we call it just that— the Target breach. We don’t always associate the HVAC vendor whose unprotected network led to the breach that still haunts us today.
But, that was 7 years ago, and the conversation is beginning to change its focus not just on the enterprise that was affected during a third-party data breach, but the technology vendor that was associated with the cyberattack. A good example of just this scenario is with the well-known software platform used by many cities named Click2Gov.
No matter where you live, you most likely have to enter some sort of payment portal in order to pay your utilities. That’s exactly what Click2Gov is. According to them, their platform is a payment portal that empowers citizens through interactive self-service bill-pay options for utilities, community development, and finance.
A necessary platform, yes, but with news about this software, there are some clear shortcomings. There have been many cities that use this platform that say their networks have been breached, and Click2Gov is under fire from them the cities and those in the cybersecurity field. And the scariest thing about this whole situation with the Click2Gov data breach is that they haven’t changed since their first breach in 2018.
In 2018, at least 10 different US cities that use Click2Gov’s software on their websites have had to warn citizens of a data breach that could compromise their payment card information. In 2020, Click2Gov has another breach that’s attributed to the infamous Magecart-style attacks, which have taken down other websites like British Airways, Ticketmaster, and about 2 million more.
In each scenario, the city or town discovers that there is something wrong with their utility payment system, shuts it down, and the city’s name takes the fall. However, fingers have been pointed at Click2Gov for almost 2 years and nothing has seemed to change for them. They continue to be in the headlines for different breaches throughout the past couple of years.
Here’s where things get even trickier: pointing fingers can go in either direction. Do we blame the different cities that continue to not check what vendors they’re using and doing their due diligence in ensuring that their cybersecurity posture matches what they’re doing internally? Or do we blame the vendor who continues to have issues and doesn’t seem to take the necessary steps to avoid data breaches, ransomware, or other attacks? Whichever side you pick, you’re both right and wrong because they’re both at fault.
It’s important that no matter what “side” you’re on, in terms of being the enterprise or the vendor, cybersecurity for external access should always be a top priority because, as you can see, when it isn’t prioritized, it leads to breaches, ransomware attacks, and bad press for your company.
You really are only as strong as your weakest link when it comes to network security. For a technology vendor, the impact of a data breach attached to your name can be deadly. Not only on your budget in terms of fees and fines, but your reputation can be ruined with just one headline. At the end of the day, a data breach can lead to fines, fees, reputational damages, and unlimited liabilities.
Moving forward, external vendors, contractors, and third parties need to be aware that there are ways to limit their liability while balancing being both efficient and aware of potential security risks. Look for the best remote support platform to fit your needs and consider what you want or need out of a platform, like:
To learn more about the importance of implementing a well-rounded cybersecurity strategy, check out our solution brief that talks about how you can protect your reputation with a standardized remote support platform.