Written by Peter Ramadan
Third-party risk has become a rising concern as more organizations rely on external vendors, partners, and service providers for essential functions. Data breaches involving third parties are on the upsurge, with attackers often quickly exploiting newly discovered vulnerabilities in these externally owned vendor systems to gain access to sensitive company data. To protect against such threats, organizations must go beyond securing their internal networks and adopt a proactive, comprehensive approach to third-party risk management.
An increasing number of the large sized enterprises are suffering from third-party risk and are struggling to implement effective strategies to avoid damaging data breaches. The following cyber incidents from last year highlights this battle against this critical risk:
Disney Slack Breach
The Disney Slack data breach, disclosed in July 2023, involved unauthorized access to internal Slack channels, where sensitive company information was shared. The breach occurred due to vulnerabilities in third-party applications integrated with Slack, which allowed attackers to exploit weak security controls. This incident highlights the significant risks of third-party breaches, especially when using collaboration tools. To better ready a security program, organizations should implement stronger access controls, conduct regular security audits of third-party integrations, and enforce least privilege principles. Additionally, using encryption for sensitive communications and establishing stringent vendor risk management protocols can help mitigate future breaches involving external services.
Casio ClassPad Breach
The Casio ClassPad breach, revealed in August 2023, exposed the personal information of over 1 million users, primarily students and educators. The breach occurred due to a vulnerability in a third-party service provider's system, which handled user data for Casio's educational platforms. This incident underscores the significant risks posed by third-party breaches, as organizations like Casio rely on external vendors for critical services. The breach compromised sensitive information, including names, email addresses, and educational records, highlighting the importance of ensuring that third-party partners adhere to strict security protocols to prevent unauthorized access and protect user privacy.
HealthEquity Data Breach
The HealthEquity data breach, disclosed in September 2023, stresses the risks associated with third-party breaches. The incident occurred through compromised employee email accounts, but it also involved third-party vendors who had access to sensitive data. This breach exposed personal, financial, and health information of over 169,000 individuals. The attack, which took place between December 2022 and January 2023, highlights the vulnerability of healthcare organizations to cyberattacks through third-party relationships. It emphasizes the need for organizations to not only secure their own systems but also ensure that their vendors and partners have robust cybersecurity measures in place.
Act Today
Thankfully, there is light at the end of this dreary tunnel that can help you rest easier at night. Conducting thorough due diligence & due care to limit third-party compromise can be spearheaded by:
-
- Continuously compliance monitoring and data governance of vendors that perform key services and/or handle sensitive data for your organization, which can be executed by annual risk assessment questionnaires to vendors and reviewing the attestation reports such like SOC 2
-
- Implementing strict RBAC (role-based access controls) for third parties
-
- Enforcing a Third-Party Engagement Enterprise Policy that define the requirements to assess a vendor(s):
-
- Data Security and Privacy
-
- Compliance with applicable privacy/data security laws
-
- Financial risks associated with bribery and corruption
-
- Operational risks associated with the sudden and unexpected loss of the vendor
-
- Reputation risks associated with negative association for poor secure practices between the vendor and other clients
-
- Contractual requirements that integrate cybersecurity requirements into contracts
Conclusion
Third-party risk is an ever-present and growing threat that cannot be underestimated, with data breaches increasingly stemming from vulnerabilities within external vendors and service providers. By staying informed and having a proactive approach by implementing the necessary procedures available in this article, businesses can fortify their security posture, significantly reducing the chances of falling victim to cyberattacks that exploit third-party relationships.
This article was written and published by a talented and valued associate - Peter Ramadan. You can find Peter at https://LinkedIn.com/in/pramadan.
Leave A Reply