December 05, 2019//JoelLast Updated: June 14, 2022
As data breaches within private organizations and government entities continue to rise, the expenses to recover from them are escalating at an exponential pace. With third-party breaches, there can be additional costs beyond the usual financial, regulatory, and reputational damage that an internally caused data breach can bring. These damages can combine to make third-party breaches far more expensive than one where a third-party isn’t involved. Let’s examine these costs and some ways that they can be avoided.
According to a study by the Ponemon Institute and IBM, the average cost of a data breach for an organization is $4.24 million — a 17-year-high. In addition, it took an average of 210 days for an organization to identify a third-party breach, and that additional ten days created a much higher cost. For organizations where a breach lifecycle lasted more than 200 days, the cost shot up 29.7% compared to those below the 200-day lifecycle. Each day costs thousands.
Along with the growth of outsourcing, particularly as it has spread beyond the back office and into mission-critical functions, exposure to vendor downtime has increased. This is especially true for highly regulated industries such as healthcare and financial services. And while any kind of hack can take a company’s systems down, a third-party data breach can have additional costs and associated complications. As an organization relying on the vendor, you’re dependent on their disaster plan to bring the system back up. Even if they are up to the task, you have no control over it. Plus, if intrusion into their system is widespread, vendors are dealing with a host of internal systems diagnostics while at the same time being swamped by customers’ requests. In short, your issues may not be their first concern, or you may have to wait in a very long queue.
“A solid vendor risk management program, backed up by technology, policies, and procedures is the best protection.”
Smaller third-party vendors are sometimes so overwhelmed by the strains and potential costs of having their customers hacked that they go out of business. This nightmare came to reality in the LabCorp/Quest Diagnostic data breach. In a situation such as that, you may be forced to bring on a new vendor immediately in order to restore those services, and that’s on top of dealing with the cost of a data breach.
When it comes to investigating the root cause of a vendor-related incident, it’s often more difficult and expensive since you won’t have direct access to the suspected systems. And third-party vendors are likely to be more interested in protecting themselves, and not as much interest in not being fully transparent, when there is a legal liability at stake. If your vendor does not cooperate fully right away, your downtime costs will escalate, hour by hour, day by day. Even if they are all in on your investigation efforts, the forensic investigation will take longer due to the multiple entities, networks and software platforms involved.
Another legal consideration is raised if you want to recover losses or costs from a vendor that causes your company to be breached. In those cases, you better have good lawyers. As noted above, even when fault is clearly determined, vendors are hesitant or unable to write you a check. Relying on the courts may be your only recourse and that can take years of effort and considerable legal costs with no certain outcome, especially if you don’t have clear-cut access audit records available. In the end, there may be no entity left to recover from and that could leave you holding the bag for all related costs of a data breach caused by your vendor, including your legal fees.
The biggest vulnerability for an organization remains the point of access. Protecting critical access points, especially access points between an organization and a third party, is the best way to prevent a data breach from occurring. By employing access governance, access control, and access monitoring, an organization can create a robust architecture that protects against threats from all sides — internal and external. Learn more about how to protect what’s most important with our Critical Access Management ebook.