This is part one of a two-part blog series about third-party risks and cybersecurity frameworks.
With growing cybersecurity risks spanning across all industries, organizations of all sizes are struggling to develop comprehensive security and risk assessment programs, often with limited resources, tight budgets, and lack of skilled cybersecurity professionals.
And attackers know this.
That’s why they generally stay a step ahead of organizations when it comes to seeking out weaknesses and vulnerabilities.
While your company looks for innovative and effective ways to keep your enterprise safe, you may be saddled with complicated compliance and regulatory standards that add additional burdens to already overworked teams.
But data breaches are not slowing down.
Increasing Risk for Third-Party Relationships
While your organization focuses on stopping these attacks and trying to get ahead before another breach, your limited resources and staff may mean that most of your company’s attention is on internal networks and data—now extending to the cloud. But it’s also important not to overlook threats caused by third-party vendors, suppliers, and business associates.
For all organizations, regardless of compliance standards, these outside vendors may put your organization at greater risk than your own network vulnerabilities or weaknesses.
And one overlook or missed vendor risk assessment could cost a small business tens of thousands of dollars in response and recovery costs, which can easily reach the million dollar threshold or higher for larger organizations.
And those numbers can go up quickly based on compliance obligations.
But third-party risk is growing, even if focus there is not.
In 2019, there were almost 370 third-party data breaches, an increase of more than 35% in the past two years.
And unfortunately, those third-party data breaches exposed a startling number of records, increasing from 1.7 billion in 2018 to about 4.7 billion in 2019.
A report from Risk Based Security says that 2019 was the worst year for third-party data breaches ever, with an average of about 13 million records exposed in each breach.
Far-Reaching Effects of Third-Party Breaches
If you read about big data breaches from 2019, you’ll likely learn about LabCorp or Quest Diagnostics—two companies that had millions of records exposed in a third-party breach.
Yet, less known for those who don’t keep a pulse on data breaches is the name of the third-party where the breach originated.
The breaches began with the American Medical Collection Agency (AMCA), a medical bill and debt collector. In total, it’s estimated about 25 million patient records were exposed for multiple organizations, making it—to date—the second largest healthcare data breach ever.
As a result of that data breach, AMCA filed bankruptcy, leaving the affected companies dealing with cleanup, recovery costs and related measures, including fines.
Responsibility When You’re the Third Party
In this breach, because the exposed data was health-related, AMCA, as a third-party vendor, was responsible for protecting that data by the same Health Insurance Portability and Accountability Act (HIPAA) standards as core agencies like Quest or LabCorp.
That’s because in healthcare, for example, a third-party vendor that creates, receives, transmits, or maintains electronic protected health information (PHI) should provide assurances to the core organization that all PHI records are safeguarded. That’s frequently accomplished through a business associate agreement.
Outside of the healthcare industry, depending on regulatory standards, organizations may require similar assurances as either part of a contract, a service-level agreement, or both.
The deeper an organization is positioned in a supply chain, the more complicated this responsibility can become, especially if you’re a vendor who provides products or services to a supply chain customer and you use other vendors to support the work you do.
Not only do you have cybersecurity requirements for your own company and how you do business, but you must also meet the standards set in your agreements with your supply chain customers. Additionally, taking it a step further, you are also responsible for ensuring that your own supply chain vendors adhere to the same standards..
Here’s an example of what this might look like in an industry outside of healthcare:
You work for an investment management firm, and your primary focus is managing investments for a variety of small, medium, and large organizations.
One of your clients is a large metro government agency, which we’ll refer to as Bigtown.
When you began your engagement with Bigtown, as part of a vendor risk assessment, Bigtown asked you a lot of questions about your existing cybersecurity practices and processes. In addition to answering those questions, you had to provide proof-of-compliance documentation to demonstrate those abilities.
After receiving your proof-of-compliance responses, Bigtown evaluated them to analyze the risk of doing business with you.
Since you won the contract, Bigtown determined your risk mitigation protocols met their level of acceptability, so they agreed to do business with you.
A contract, service level agreement (SLA), or other agreement was drawn and signed and you’re happy you landed the deal.
As part of your contractual agreement with Bigtown, throughout your engagement, you have specific data and privacy requirements to meet in order to ensure Bigtown’s data is safe and that you’re meeting all the expectations set forth in your agreement.
Periodically, at least annually and for contract renewals, Bigtown conducts a cybersecurity audit on your organization to ensure you continue to meet their standards.
If you are, great! The relationship can continue. If not, Bigtown may terminate your contract because the risk you bring to the table is more than its willing to take.
Because you’re a successful company and you value data privacy and protections, in addition to responding to Bigtown’s periodic audits, you also conduct quarterly internal audits. These audits are great because if you have gaps in your cybersecurity program, you can find and remediate them before Bigtown discovers them in their annual audits or an attacker initiates a breach.
Audits are also helpful because, if you do have a breach, you may be able to more quickly identify it to begin mitigation. From there, you can let Bigtown know what’s happened along with your plans to resolve the current issue and what you’re doing to ensure it won’t happen again in the future.
But internal audits and responding to your clients’ audits should be just one component of a mature cybersecurity program with the objective of reducing your risks as a mid-tier vendor in a multi-tier supply chain.
You should go further and take the same approach with your third-party vendors and suppliers.
Your Vendors Are Risks, Too
Traditionally, many businesses thought of their supply chain as merely those businesses that helped you receive, manufacture, and manage physical products and supplies to do business. But today, your supply chain may be vast. It likely includes digital service providers (like software companies, cloud-hosting companies, and application developers) you need to use to do business.
Here are some examples of third-party vendors your company may use in support of your operations:
- Document storage companies (both digital storage and hard copies)
- Document shredding companies
- Point of sale systems
- Payment processors
- Customer relationship management (CRM) systems
- Outside companies that handle things such as billing or debt collection on your behalf
- Accreditation and compliance organizations
- Legal services
- Human resources services such as payroll and health plan administrators
So, with all these organizations now tied into your supply chain, as a middle-tier vendor, how far should your audits go? How deep should your second- and third-tier vendor risk assessments be?
While these questions are still being debated in many organizations, the least complicated answer is: If you’re working with an outside organization that has access to your data and systems, you’re at risk, and that may put your clients at risk too.
A Risk Perspective
Here’s an example to put the risk into perspective:
In 2013, an attacker used credentials stolen through a third-party vendor to access Target’s customer service database.
Using those credentials, the attacker infected the system with malware and successfully captured sensitive data from Target customers—including names, phone numbers, credit card numbers and card verification codes.
As a result, the company was ordered to pay more than $18 million for settlements covering multiple states and 41 million customers.
Risk Is More Than Just Data
When we talk about risk, especially under the auspices of cybersecurity, we’re often focused on data protection. But when it comes to risk mitigation, your scope for your third parties should include more than just data protection.
Here are some examples of other risks created by your third-party vendor relationships:
- Regulatory and compliance risks
- Reputational risks and potential for brand damage
- Financial risks
- Security risks
- Operational risks
We can take a quick look again at Target as an example of third-party risk issues, this time from an operational perspective.
In 2019, the company made headlines again when it experienced an outage of its payment processing system, which created long lines at stores and limited purchases to cash-only at many locations.
The issue originated with a third-party vendor that processes credit card payments. That services supplier had a problem at its data center and it caused a national outage for the retailer’s registers. One report indicates the retailer could have lost about $100 million in sales because of the outage.
A Target spokesperson told one media outlet the issue was the result of an error created during routine system maintenance. Those types of errors, even if they’re short-lived, can have far-reaching impacts on your business. If you’re a middle-tier vendor and one of your upstream vendors experiences an outage that prevents you from doing business downstream, your losses and hardships could be exponentially greater.
Increasing Data Breach Risks
While third-party risks from your supply chain go well beyond potential data breaches, data breaches are at the top of the list of growing concerns.
During the past two years, more than half of organizations that reported a data breach say that one or more of the breaches originated with a third-party.
The cost to remediate those breaches on average is more than $7.5 million.
While most organizations agree that managing third-party risks is critical, more than half say they’re only somewhat effective or not effective at all at doing it.
And it’s not because organizations aren’t willing to do the work. Unfortunately, like other cybersecurity professionals, they’re just stretched too thin.
On average, third-party vendors spend more than 15,000 hours a year on assessments, even though only 8% of organizations take action based on the results of the assessments.
If you’re a middle-tier vendor doing your own internal audits and responding to audits for existing contracts—and you’re answering proof-of-compliance requests for new contract opportunities, how much time and resources do you have to repeat this process for every upstream vendor you work with?
It’s a situation further complicated throughout the supply chain by the use of static documents like spreadsheets to manage cybersecurity and risk programs for third-party vendors.
So, what can you do?
If you’re a middle-tier vendor who wants to ensure you’re meeting your clients’ cybersecurity standards—and also ensure that your vendors are meeting your cybersecurity standards—there is help.
There are a number of cybersecurity frameworks available to help you manage supply chain compliance and risk. Two of the more common ones are from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
NIST 800-53 offers recommendations for managing supply chain risk, along with suggested controls you can adopt for your organization.
Third-party risk management is also included in ISO 27001, 27002, and 27701. Like NIST 800-53, these standards can help you create controls for third-party risks in your supply chain.
Both frameworks are applicable for diverse industries, but in some instances your organization’s specific needs require a custom framework, which can be derived from your existing practices as well as recommendations from other frameworks.
And, if you’re still using those static documents noted earlier, you may find it helpful to adopt cybersecurity management software that can help you build your third-party risk compliance framework and manage it with better insight into how well you’re doing.
Keep an eye out for part 2 of this blog series where we’ll take a closer look at some of these supply chain management frameworks and how you can use them to reduce risk for your organization.