The problem with third-party breaches: A data protection dilemma
Time and time again, organizations face an escalating threat to their data: Third-party breaches. As businesses increasingly rely on external vendors and partners for various services, the security of sensitive information becomes more vulnerable. This poses the question: Are traditional security measures still effective or obsolete in protecting vital information?
There has been a notable increase in third-party breaches, with headlines featuring Snowflake, Santander and Ticketmaster as recent victims. These incidents highlight that vulnerabilities are inherent in our systems, making no organization immune to such attacks.
Unsurprisingly, 98 percent of organizations have experienced a third-party breach within the past two years. These breaches can expose critical data, resulting in severe financial and reputational damage. To mitigate these risks and protect organizational assets, it is essential that organizations thoughtfully consider new strategies to defend against third-party breaches and protect our data.
The Problem With Third-Party Breaches
A third-party breach occurs when malicious actors compromise a vendor, supplier, contractor or another affiliated organization to gain access to sensitive information or systems related to the victim’s customers, clients or business partners. These breaches can happen through various methods, including compromised credentials, software vulnerabilities, insider threats and weak security measures. Ultimately, adversaries will always opt for the path of least resistance to achieve their goals.
Third-party vendors are invaluable to any business but also introduce significant risks. Supply chain attacks, in particular, are on the rise, with 62 percent of network intrusions originating from a third party, often someone within your supply chain. The most alarming aspect of these breaches is their considerable impact.
Organizations have experienced significant disruptions from third-party cyber incidents, with 73 percent reporting at least one major incident. A notable example is the 2020 SolarWinds breach, where a sophisticated malware program was inserted into its software updates. SolarWinds, which managed numerous companies’ credentials, became an ideal target for a widespread attack. This breach exposed many organizations to risk due to the extensive use of SolarWinds solutions within the supply chain. As a result, 18,000 customers were impacted. The financial fallout was substantial, with BitSight estimating losses at $90 million. Beyond financial damage, such incidents harm reputations and erode the trust between businesses and their third-party partners.
Many people consider their risk surface to be confined to the domains they directly control, yet they remain vulnerable to direct attacks and insider threats. Your risk area encompasses all the risks associated with the companies you interact with. As the saying goes, “You don’t just marry the person; you marry their family.” This includes customers, vendors, partners and suppliers. The SolarWinds incident affected not only its direct customers but the entire supply chain, illustrating the interconnected nature of these risks. A crucial difference exists between the “known attack/risk surface” and the “unknown but real attack/risk surface.”
In addition, large-scale data breaches have highlighted the urgent need for robust cybersecurity measures. Notably, Ticketmaster, Santander and Snowflake have all suffered significant breaches. Ticketmaster’s breach compromised data for 530 million customers, while Santander exposed personal information for 30 million. The breached data included full names, email addresses, phone numbers and hashed credit card numbers. Snowflake’s breach, which involved compromised employee credentials bypassing their authentication service, underscores the critical need for secure cloud storage and effective cybersecurity tools. This incident demonstrates that implementing strict security protocols and multi-factor authentication is essential, making Zero Trust not just a preference but a necessity.
Organizations need to implement a comprehensive risk management plan for vendors. This includes thoroughly vetting third parties, requiring accountability, and staying aligned with cybersecurity best practices to remain vigilant against potential threats. This significantly diminishes the size of a breach and its devastating impacts.
Prioritising Data Protection in a Zero-Trust Model
In the wake of significant data breaches affecting major organizations, it’s clear that traditional cybersecurity measures have become insufficient. A more comprehensive approach, such as the zero-trust strategy, is essential to protect sensitive information. Zero-trust is a security framework that requires all users, whether inside or outside the organization's network, to be authenticated, authorized and continuously validated for security configuration and posture before granting or maintaining access to applications and data. While zero-trust is often associated with network and access control, it’s crucial to extend these principles to the data layer to ensure data remains protected regardless of its location or access method.
Protecting data before involving third parties is a critical step in enhancing security. If data was appropriately protected at its origin, breaches like those involving Ticketmaster and Santander might never have made headlines. Effective data governance and visibility into data operations are essential for managing privacy and protecting information comprehensively. Additionally, data protection strategies such as encryption, data masking and other de-identification techniques can secure data before it’s shared, minimizing the risk of exposure.
The long-term impacts of data breaches can be severe, affecting an organization's financial standing, reputation and customer trust. Implementing data de-identification methods like tokenization, encryption, data masking and anonymization reduces these risks.
- Tokenization replaces sensitive data with non-sensitive equivalents.
- Encryption converts data into a coded form accessible only with a decryption key.
- Data masking obscures data to hide its true content.
- Anonymization removes identifiable information.
By integrating these methods into a zero-trust strategy, organizations can better safeguard their data and maintain the trust and security of their digital ecosystems.
In today’s digital age, the increased levels of connectivity come with their share of risks. Third-party breaches pose a significant challenge to organizations, demanding meticulous attention and proactive measures to prevent data compromises. Adopting a zero-trust strategy and investing in robust data protection solutions are critical steps in navigating this complex digital landscape. By implementing proactive measures, maintaining a continued focus on security and committing to data protection, organizations can enhance their resilience and safeguard their data now and in the future. Embracing these strategies will ensure a secure environment where sensitive information is consistently protected against evolving cyberthreats.
Image credit: Rawpixel.com / Shutterstock
Clyde Williamson is Chief Security Architect at Protegrity.