The hidden costs of third-party data breaches -- and how to avoid them
Recent studies show that third-party data breaches are the most expensive cyber incidents for businesses today. The rise in associated costs has prompted not only security leadership but also executives and boards to pay close attention to the cyber risk that comes with doing business with their biggest vendors and partners. But what many business leaders don’t realize is that the biggest third-party cyber risks can come from the smallest, most seemingly innocuous places.
Take, for example, the Docker Hub cyberattack that took place this past May. While in the grand scheme a given business ecosystem, Docker Hub’s role -- a container used by developers to store image files -- is small, the extent of the damage to its customers was not.
The breach exposed thousands of customer logs, user tokens, and hashed passwords. And as part of the breach recovery process, customer DevOps teams who used Docker Hub were tasked with tracking down which assets were impacted, resetting passwords, and replacing the files that were attached to Docker Hub accounts. Whether Docker will face any regulatory repercussions remains to be seen, but its customers are already feeling the strain on resources that comes with spending time cleaning up the breach afternoon that could be applied work that creates revenue for their businesses.
The bottom line is that any vendor -- from those that store sensitive company data like financials, to those that access seemingly inconsequential like DevOps images -- can cause extensive exposure and damage to an organization it does business with in the event of a data breach.
Key to minimizing the impact of and recovery process for any third-party cyber incident is being able to swiftly identify the extent of the systems and data affected -- and that starts with having visibility into your full vendor ecosystem. Let’s explore three critical steps to putting your business in a better position to prevent third-party breach recovery costs and headaches.
Step 1: Catalog All Access Points
On average, a company’s network is accessed by 89 vendors a week in order to perform various crucial business functions, like payroll, human resources, and IT. This number is only projected to grow with the continued rise of outsourcing and cloud applications, making it critical that organizations keep an up-to-date, comprehensive record of each vendor’s network access points.
This allows security leaders to identify all potential entry points a cybercriminal may exploit across the entire business ecosystem. By keeping an up-to-date inventory of all vendors and the systems they have access to, organizations can better track and identify potential vulnerabilities, with a decreased response time in the event of an incident.
Step 2: Own Your Vendor Accounts
Once an organization has an understanding of each vendor’s access points, the next step is to identify and manage the accounts held by these organizations.
This process starts by ensuring that each account is internally managed and linked to an organizational email address. By taking this step, organizations can confirm that they are in control of each account, and are the first point of notification if an incident does occur. If a third-party user uses a personal account or fails to notify their customers or partners in the event of a cyber threat, the lag time from breach to remediation can increase significantly -- as will the resulting costs.
Step 3: Leverage Continuous Risk Monitoring
Many security teams conduct regular internal audits and continuous monitoring to assess their own security posture but fail to do the same when it comes to their third parties.
Whether entering a new relationship with a vendor or auditing existing partners, organizations should be able to continuously evaluate the quantitative risk posed by third-party vendors. Having real-time visibility into vendor security performance can help the organization not only quickly identify cyber incidents, but also significantly speed up communication and action to address those incidents in a collaborative way between the two parties.
It is critical that organizations today remember that their security posture is only as secure as their weakest vendor. By applying these best practices to all third-party risk management strategies, organizations can proactively address potential threats within their vendor ecosystem, rather than reactively scramble to address a cyber incident with a costly recovery process.
Jake Olcott is Vice President, Communications and Government Affairs at BitSight. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, Jake served as legal advisor to the Senate Commerce Committee, and also served as counsel to the House of Representatives Homeland Security Committee.