Learn how to quarantine compromised data when a trusted partner is attacked.
When a high-profile data breach occurs, people aren’t necessarily worried about the company that suffered the breach. Instead, they’re concern is for the end-users of that company’s systems.
Those users,customers and employees,are the ones whose sensitive data is at risk. A data breach is also an implicit breach of trust between end-users and the organization that handles their data.
That is why high-profile data breaches like that of Uber’s and Equifax are so damaging. How those brands suffered is just the tip of the iceberg compared to the damage they inadvertently caused millions of regular people who trusted them.
Yet it’s impossible to do business without relying on third-party vendors. Learning how to deal with third-party data breaches and cyberattacks is a necessity for today’s entrepreneurs and business leaders.
Why third-party breaches are so dangerous
The average small-to-midsize business (SMB) subscribes to more than 20 software-as-a-service (SaaS) apps. Large-scale enterprises use a staggering 464 custom applications, on average, and the number is growing every year.
Under these conditions, it is easy to see how hackers broke into Target’s systems through its HVAC provider in 2014. No matter how loudly Target’s executives blame the HVAC provider, the fact remains that cybercriminals could have plausibly used any one of Target’s hundreds of vendors to gain access.
The problem is that while Target and its employees and customers suffered the majority of the damages, a third-party vendor was ultimately responsible for exposing them. The wider the surface area your organization presents, the bigger a target it becomes.
At the same time, you cannot reach into a third-party vendor and change their IT infrastructure at will. There is very little you can do to enforce compliance with a third-party vendor.
What business owners can do to prevent third-party data breaches
The first step to mitigating the risk of a third-party data breach is making sure a competent IT administrator vets your vendors. This means asking your employees, managers, and supervisors to divulge their vendor lists to executives.
Although it seems like an obvious problem, the fact is that relatively few executives really know what kinds of services ground-level employees are using on a daily basis. If your marketing team starts a Slack channel, or your HR lead uses Skype to conduct remote interviews, you should know about it.
Once you have a complete vendor list, you have to begin the process of auditing their access level. This requires asking how much access that particular vendor needs and establishing built-in limits to the amount of data they can get from your organization.
This allows executive leadership to start an ongoing conversation about third-party security risks. From this point, it is possible to develop and implement a coherent strategy to mitigate third-party vulnerabilities in a variety of ways:
- Demand cybersecurity evaluations. Tightly integrated vendors (like distributors and managed service providers) are often willing to exchange cybersecurity audit evaluations with their clients. Working with a reputable third-party cybersecurity firm helps to cement your relationship on secure ground.
- Look for secure alternatives to free services. You might not be able to get security certificates from Skype, because it is a free service not necessarily designed for secure B2B use. However, adding messaging and communication functionality to an already secured infrastructure is often simple to achieve. The key here is making sure employees actually use secure alternatives.
- Think about fourth and fifth parties. Your third-party vendors may be secure, but how secure are their third-party vendors? In an increasingly interdependent tech landscape, it is becoming important for software vendors to notify users when their data is shared with other organizations.
- Constantly assess your third-party connections. While static third-party monitoring is standard among many SMBs, continuous assessment is a better solution for today’s security environment. Vendors need to perform the same security routines that you do—installing security patches and auditing user permissions. Continuous assessment is the best way to make sure that happens.
Long-term success relies on secure vendors
In almost every industry, high-profile premium-service vendors tend to cost more than their lesser-known competitors. Cybersecurity resilience is one of the things upon which reputation is built, and business owners planning for long-term success should prioritize vendor choices to reflect that fact.
When two vendors offer the same services for different prices, it does not always mean that the lower-priced service is a better deal. Best-in-class cybersecurity protection is an overhead cost that delivers long-term stability, and it’s impossible to turn a growing business into an industry leader without it.