Why Third-Party Security is Critically Important in 2020
The new year has only just begun, and many CISOs and compliance professionals are making third-party risk management a priority. Similar to how those who never received flu shots may suddenly decide to vaccinate during a particularly bad flu season, companies that never had a formal third-party security process are now focusing attention on how to create and implement one.
What is it about 2020 that is prompting these changes? Here are some of the reasons:
1. Supply chain complexity
In today’s hyper-connected world, organizations do business with lots of vendors—even some that may not be considered as threats. For example, a 2019 data breach involving online text invitation service Evite exposed millions of users, including the business information of companies that used it. But it’s likely that many organizations that used Evite did not even consider it to be a risky third party.
In addition, supply chains are so complex that many organizations are not even fully aware of who all their business partners are. This creates a clear problem: How do you protect your data if you don’t know who has access to it?
As the supply chain continues to grow, organizations are realizing that they need help managing the security of the hundreds or even thousands of third parties they connect to. To achieve this, it’s important to uncover all supply chain relationships by using an asset discovery tool and to assess and continuously monitor all vendors. By doing so, organizations can pinpoint any security issues within the supply chain that can be fixed before cybercriminals exploit them.
2. Remote working
Because of coronavirus, many companies—including third parties—have implemented work-from-home policies. This shift has created numerous significant cybersecurity issues.
One issue is a lack of authentication and authorization resulting from not being able to work face-to-face. Consequently, there’s an increased need for multi-factor authentication, monitoring access controls and creating strong passwords. As emails and online requests increase, there’s also an increased risk of phishing and malware attacks. In addition, employees who use their own devices can introduce new platforms and operating systems that may not be secure.
These risks can be even worse within the supply chain, particularly among smaller vendors that may lack the resources to implement the necessary security measures. This presents an unfortunate opportunity for cybercriminals, who can target third parties to penetrate their upstream partners.
3. Cloud storage
An increasing amount of software is being managed on the cloud, and as a result, we will likely see even more disastrous data breaches resulting from cloud configuration mishaps. Recently, we saw these types of data leaks involving companies such as LightInTheBox, PayMyTab and OptionWay, illustrating what can happen when data is stored on insecure servers hosted by third parties.
This situation can be avoided by putting more emphasis on controlling access to system images and database backup files. Extra vigilance, however, is required to ensure that third parties store data securely. As organizations continue to store more data on the cloud through third parties, they are looking for solutions to check for cloud security.
4. Data privacy regulations
GDPR and CCPA have ramped up data privacy enforcement in the European Union and California, respectively, and similar regulations are being written and enacted throughout the world. These regulations are having a significant effect on how organizations approach privacy and cybersecurity vendor management.
The stakes are high for companies that don’t comply with these regulations. GDPR noncompliance could result in penalties as high as €20 million or 4% of annual revenue—whichever is greater. With CCPA, organizations can be fined up to $2,500 for each negligent violation and up to $7,500 for each intentional violation. CCPA has an notable added consequence: Individuals can also seek damages of between $100 and $750, and actions can be aggregated into a class action. This leaves companies open to the possibility of enormous financial penalties through its users.
Organizations therefore have good reason to comply with these regulations, and cybersecurity plays a key role. GDPR demands that organizations tighten their cybersecurity—as well as their third parties’—to protect data privacy. CCPA similarly stipulates that organizations must implement “reasonable” security measures.
For all of these reasons, cybersecurity vendor management is vital, and organizations are searching for solutions to do it effectively and comprehensively. The best solutions will also offer a way to check CCPA and GDPR compliance as well as checking cyber posture.
5. Phishing and ransomware attacks
Both phishing and ransomware attacks continue to be widespread, primarily because they are quite effective: These attacks are easy to create and they yield quick financial rewards.
Phishing, which is an attempt to deceive a victim to gain access to confidential information and/or distribute infected files, accounted for nearly one-third of breaches in 2018. Ransomware, which is a type of malware that prevents users from accessing data until they pay a ransom, was reported to cost US businesses more than $7.5 billion in 2019.
Often, the best way for cybercriminals to steal data from organizations is by targeting their less-secure third-party vendors. Thus the ongoing and very real threats of phishing and ransomware are powerful motivators for organizations to implement a robust third-party security process.
Clearly, it’s necessary for organizations to sharpen their third-party security processes. Organizations must assess and regularly monitor the flow of data within their systems and their vendors’ systems, be aware of security issues and how to mitigate them.
Using Panorays, organizations can rapidly assess the security of their third parties and check for compliance to regulations like GDPR and CCPA. Learn more here about the important questions you should be asking to determine vendor security.