Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches

Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of its vendors, telephonic software and data company NICE Systems, left the information of 14 million Verizon customers on a misconfigured Amazon server.

This incident did not happen in a vacuum. Other recent third-party breaches affecting major organizations include:

The Republican National Committee (RNC), whose data analytics vendor exposed the data of 198 million voters after leaving it on – you guessed it – a misconfigured Amazon server.
Trump Hotels, which, along with chains such as Hard Rock and Four Seasons, had its customer data exposed after a breach at its reservations vendor, Sabre Corporation.
• A number of Google employees were also impacted by the Sabre breach because Google’s third-party travel management company used Sabre’s systems – meaning this breach happened at the third-party vendor of a third-party vendor.
Netflix, which had the upcoming season of its hit series Orange Is the New Black dumped online after a hacker breached a third-party post production house, Larson Studios. It has since been discovered that the hackers got into Larson’s systems by taking advantage of the fact that the company was running an antiquated version of Windows.

Third-Party Breaches Common in the Age of Outsourcing

Once a dirty word, outsourcing is a normal part of doing business in the 21st century. Organizations of all sizes routinely retain the services of third-party business partners to take care of all manner of functions outside their core competencies, from cloud storage to customer billing to payroll services. Unfortunately, because so many business functions are now outsourced, third-party breaches have more common than primary data breaches; an estimated 63% of all enterprise breaches can be traced back to a third-party vendor.

If one of your vendors gets hacked, don’t expect to be able to point fingers and pass the buck. Even if your business partner makes a colossal mistake, your organization will be the one that’s held responsible by your customers, any affected banks, and regulatory bodies. The infamous Target breach, which cost the company nearly $300 million and shook up its C-suite, involved a third-party vendor.

Protecting Your Organization from Third-Party Breaches

As with primary cyber attacks, the best way to deal with third-party breaches is to prevent them from happening in the first place. While you cannot dictate to your business partners how they should run their firms, as their paying customer, your enterprise is not without recourse:

• Understand your enterprise ecosystem so that you can build risk profiles for all of your business partners. Who are your business partners, and what service does each provide? What level of access do they have to your data and systems?
• Understand who your vendors are subcontracting to and whether they will have access to your data. As in Google’s case, a breach at a third-party vendor used by one of your third-party vendors can come back to haunt your organization.
• Include cyber security provisions in your vendor contracts, including security measures your business partners must take regarding their own vendors.
• Give your vendors the minimum level of access to your systems and data that they need, and no more.
• Only do business with IT services vendors who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have undergone rigorous security audits and have proven their commitment to the highest levels of data security.

Further to the above, if your business provides IT services to other businesses, obtaining the appropriate data security certifications is a wise investment that will help you instill trust in your customers.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.