Have you noticed how data breaches involving third parties have increased?
PAYMNTS.com recent had a headline story: Third-Party Data Breaches Rise To 61 Pct. In US.
Every business segment has been affected as you can see by the examples below:
“An unauthorized user accessed the personal information of as many as 2.65 million Atrium Health patients in September after getting into the systems of one of Atrium’s third-party vendors. Breaches like this one, in which a hacker gains access to a large organization through one if its third-party vendors, are becoming more common, according to Bob Anderson, principal in the Chertoff Group’s strategic advisory services practice.” Modern Healthcare 2.65 million Atrium Health patients’ data potentially exposed By Rachel Z. Arndt 11/28/8
“Cathay Pacific. British Airways. Air Canada. Airlines and airports are hot targets for cyberattackers, whose motivations range from financial and identity theft to cyber espionage. Those three recent incidents reflect a growing trend. It was late August 2018 when Air Canada alerted users to a mobile app breach affecting 20,000 people. British Airways admitted to a breach compromising 380,000 passengers in September; a month later, it learned 185,000 more were affected in a second attack. Cathay Pacific spooked us all when, a few days before Halloween, it disclosed a breach exposing the data of 9.4 million people — the largest of any airline to date. The risk of a security breach intensifies with the number of third-party vendors involved with a company’s processes. Airports work with many, and their operations demand constant exchange of data among governments, credit card companies, baggage handlers, maintenance, and a wealth of other organizations responsible for keeping the industry in business…. For attackers hoping to cash in on sensitive data, the aviation industry is a gold mine.” Dark Reading Buckle Up: A Closer Look at Airline Security Breaches By Kerry Sheridan 11/26/18
Some of the most devastating breaches in the past few years have been the fault of third parties. Take the Equifax breach, for example: 148 million people were affected because third-party vendors ran malicious code on one of its web pages. It’s no secret that mitigating third-party risks is crucial in the financial industry, but the problem is that third parties putting data at risk affects organizations around the world—no matter what industry they’re in. Data Center Journal Third Party Problems: 4 Ways to Stop What You Can’t See By Kevin Alexandra 10/11/18
A look at the facts
The third annual Ponemon Institute “Data Risk in the Third-Party Ecosystem” study, sponsored by Opus, surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.
According to the Ponemon study, “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 percent over last year’s study and a 12 percent increase since 2016. What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.
A key contributing factor is the growing complexity of the third-party landscape. Companies continue to increase their reliance on third parties and, on average, share confidential and sensitive information with approximately 583 third parties. Yet, only 34 percent keep a comprehensive inventory of these third parties, a statistic that’s even worse for Nth parties, at 15 percent. Sixty-nine percent of respondents indicated that a lack of centralized control was the key reason for not having the comprehensive inventory. Additional key reasons included lack of resources and the complexity of third-party relationships.”
Something to consider – Third Party Identity Risk & Lifecycle
SecZetta specializes in solutions to address third party ILM and provides an authoritative source and system of record for managing all non-employees, including contractors, vendors, customers and partners. Managing 3rd parties within the corporate enterprise is not easy due to complexity of the challenge. The SecZetta solutions compliment any HR and/or IAM system, including SailPoint (Certified), SAP, RSA, OIM, SecureAuth/Core, etc. Because of cyber security regulations world-wide (HIPPA, NIST, GDPR, NYDFS, PIPEDA, etc.), companies must address the challenges associated with third party identity lifecycle risk.
Our tools allow organizations to establish a much needed authoritative source for 3rd party identities. It allows them to define the process for on-boarding non-employee identities, understand the risk of the non-employee at the identity level before granting access to and allow for re-validation of identities to make sure only the appropriate people are current.