October 09, 2019//Tony HowlettLast Updated: April 29, 2020
It’s pretty common knowledge that many companies outsource some, if not all, of their critical IT to vendors. While outsourcing to vendors or third parties does increase efficiency, it also opens companies up to a world of risk that isn’t always accounted for. To combat these unaccounted for risks, we want to educate people and raise awareness. Below we have listed the top three threats posed by third-party vendors to help you mitigate and prevent these risks.
Even organizations with the most robust data security systems are susceptible to breaches via the weaknesses of their third-party vendors. In fact, 59%of respondents to a Ponemon Institute survey say that their organization has experienced a data breach via third-party in the past year. And several of 2018’s most significant and costly security breaches, including Equifax, Tesla, Saks 5th Avenue, Universal Music Group, and Applebee’s, resulted from vulnerabilities on the part of third-party vendors.
With an increase in the number of bad actors seeking to steal data — either directly from you or via your vendors — enterprises must have complete visibility into all remote access actions. One important control to have in place is to limit the scope of a vendor’s access to systems and data so it has only what’s needed to perform its duties. Something we like to call least privileged access.
An even more concerning situation involves malware — in particular, ransomware. Ransomware has the ability to quietly encrypt data for weeks or months, overwrite backups, and leave businesses in a vulnerable position: either pay the ransom or lose the data. Often, even when the ransom is paid, the data is never returned — truly, a lose-lose situation.
Even the most established and beloved of brands can suffer exponentially from the reputation damage that comes with a third-party breach. One study reports that a negative reputation event, or “bad press,” creates an 80% chance that a company will lose more than 20% of its value within a month. Even if your enterprise bears no financial or regulatory responsibility for the breach or failure, the damage to reputation and loss of customer trust and data can inflict lasting consequences.
Non-compliance with legal and industry regulations can occur when an outsourced provider has inadequate control systems and knowingly or accidentally causes a customer to violate that regulation. The consequences of non-compliance for companies in high-stakes industries like finance and healthcare can be especially harsh.
Organizations are found liable for illegal or negligent actions taken by their vendors under many new (and tightening) protocols including HIPAA, GDPR, CCPA, and others. These findings can result in fines, penalties, and even revocation of license or charter.
In light of growing threats to compliance, many regulations now require organizations to monitor suppliers and service providers for potential risks. Enterprises are bound by legal and regulatory mandates to mitigate non-compliance, security breaches, and data loss involving third parties. And the only way to do this is to implement an effective vendor privileged access management program.
Even if a hacker does not succeed in exfiltrating data from a target system, downtime and outages can occur both from damage done during the attack or from time to restore systems to an uninfected state. And in cases of the aforementioned ransomware, the victim’s systems are simply completely locked up till the ransom is paid or recovery from backups (assuming they aren’t infected too) can occur. This is bad enough for enterprises in non-regulated industries, where these outages cost revenue and customer loyalty, but it is even worse for those in highly regulated industries.
In entities such as hospitals, public safety (911 and emergency response), electric grids, dams, and other critical infrastructure, downtime can cost lives. Hackers have been working on infiltrating key patient care systems such as heart monitors and infusion pumps. Evidence of nation-state hacking groups has been found in electric companies’ systems. This is a key reason why ransomware thieves have focused on small-town infrastructure and hospitals recently; those systems are critical to citizen’s and patient’s lives and no one can afford for these systems to be down.
Implementing a good vendor management system, including policies, procedures, and technology solutions does more than prevent and mitigate disaster. It helps control costs, reduces vendor-related risks, and optimizes the value you receive from your vendors over the long-term. Having all vendor-related information in a single place can influence your decision-making process, resulting in streamlined enterprise performance, long-term cost savings, and improved earnings.
Superior vendor risk management also improves the customer experience. Fostering better relationships with your vendors leads to increased efficiency and a better experience for your customers and end-users.
On the flip side, poor vendor relations can result in substandard customer interactions. Unclear vendor policies and ineffective communication can result in third-party activities that don’t rise to the level of your carefully prescribed business practices, desired brand image, and customer care.
Problematic vendors can cost a business dearly, and often these costs are hidden. The right vendor management program allows you to quickly identify and trace compromised workflows. Early risk detection means action can be taken immediately, and you can effectively “cut your losses.”
Effective onboarding processes supported by technical controls can help bring new vendors into operational mode quickly, delivering their promised solutions sooner. Also, effective audit systems can help staff comply with auditor’s and regulator’s documentation requests, cutting down on your compliance costs.
Your data is its most secure when you have visibility of all remote activity occurring on your network. With the right vendor management program, you’ll easily see who’s doing what on your network and gain a holistic view of all third-party activity. This enables you to track and audit vendors properly through up-to-the-minute monitoring of your network — and all the vendors who have access to it.
Using outside vendors is invaluable for organizations of all types and sizes. Third-party vendors can help you scale your business and deliver specialized expertise to customers, while you concentrate on your core business.
But you can’t manage what you can’t measure. When data is your organization’s lifeblood, you need to see and control every factor, from your internal employees and systems to your third-party vendors. Implement this system before an unfortunate incident forces your hand. Working with a high-performance vendor management system for secure remote access is critical to taking your enterprise — and your customers — to the next level of success. To learn more about vendor management program options, check out our helpful brochure that outlines the top options.