As highlighted by the Equifax breach, organizations put their consumers' information at risk when they don't prioritize third-party vendor security as part of their cybersecurity governance.
The recent Equifax breach is a great example of the risks inherent to collaborating with third parties. Lenders depend on credit reporting agencies like Equifax to vet borrowers and thus supply them with consumers' sensitive financial information. While those lenders may go to great lengths to ensure that data is secure, Equifax unfortunately didn't share that commitment.
Third-party governance is acute in the financial industry, where banking and lending organizations extend day-to-day operations to third-party credit agencies. But the problem of third parties putting data at risk affects enterprises no matter their industry. Until organizations learn to manage this risk, they'll continue to put their consumers' information in jeopardy.
Why a third party becomes a threat
The Identity Theft Resource Center reported that the first half of 2017 witnessed a 29 percent increase in cyberattacks over the previous year. Given this rise, most companies are now arguably more aware of a direct data breach's consequences, from public relations fallouts to massive financial losses.
Yet, even when an organization is indirectly responsible for a data breach, as when the vulnerability comes via a third party, the result is the same. Consumers are unwilling to separate your company from its third-party vendors, so a cyberattack on your vendor can mean that your company will suffer accusations of poor oversight and indifference to consumer welfare.
In a recent survey from Soha Systems' Third Party Advisory Group, 63 percent of all cyberattacks could be traced either directly or indirectly to third parties, but less than 2 percent of organizations surveyed listed third-party cybersecurity as a priority. Even before the public learned of the Equifax breach, the 2014 Home Depot and 2013 Target data breaches became high-profile examples of third-party attacks, as both companies were breached through third-party vulnerabilities.
Organizations and third parties collaborate in three risk-inducing ways: when third parties store data for businesses, when third parties access data from businesses, and when third parties and businesses share data.
Ultimately, all of these risks can be mitigated by a strong third-party governance program, because safeguarding data requires a comprehensive and interorganizational approach that acknowledges and accounts for the diverse ecosystem of cyberthreats.
How to prioritize security when dealing with third parties
As organizations work with third parties, they need to form partnerships with vendors that are as serious about security as they are. Utilizing this three-part strategy, organizations can moderate their approach to choosing vendors and ensure that their existing vendors continue to provide the levels of security they require.
1. Vet vendors based on security standards.
Before signing a contract with any third party, find out what kind of security infrastructure, policies and employee training it has in place. Especially if a third party is storing your data, it should abide by your cybersecurity practices or standards, such as System and Organization Controls.
2. Conduct ongoing audits of vendors' systems.
The cyberthreat landscape is constantly changing, and protections must be regularly updated to keep pace. Audits of your third-party vendors reveal when, where and how they have updated their security infrastructure and whether it's still adequate. Don't be afraid to make the audits a condition for contract renewal and, if need be, call in an independent evaluator who can perform such a process, as many organizations lack the resources to conduct such an audit themselves.
3. Implement user-friendly, collaborative security solutions.
When sharing information, ensure security is maintained across your communication platform. If emailing sensitive data, make use of automatic encryption to avoid mistakes and keep access of encrypted email hassle-free so that users within your organization and third parties aren't inclined to work around it. If using email and online collaboration tools, make sure your solution providers are vetted and audited just as you would your partners. In this way, every attack vector is automatically covered.
Equifax may be top of mind, but soon that company will be replaced by the next one that suffers a high-profile breach. If your organization is not actively focusing on third-party cybersecurity by vetting vendors, auditing systems and utilizing technical solutions, then you may be next. Instead, consider the lessons that these breaches have taught us, and start taking steps to bolster your protections.