Holiday Shopping Season Magnifies the Risk of Third-party Data Breaches

December 6, 2018
IT Security, Retail

Black Friday. Small Business Saturday. Cyber Monday. They’re three of the busiest shopping days of the year. With the high levels of online shopping and credit card usage associated with them, they also constitute prime times for DDoS attacks and other types of cyber-crime to occur. But don’t be deceived into thinking all’s clear once they’re past. The entire holiday shopping season is prime time for cyber-crime.

Retailers and ecommerce businesses are the primary targets but companies across just about every industry could be at some level of risk as well. Simply sharing the same third-party vendor as a company targeted for attack can put any organization in danger.

The Risks of Outsourcing

As companies seek ways to reduce capital expenses, add capabilities, and adopt new technologies in short timeframes, they’re increasingly turning to outsourcing. In most cases, they’re partnering with vendors who also provide their services to other organizations.

It’s not unusual for companies across a diverse range of industries to share the same payment system processor, data analytics company or another type of service provider. The problem is that if the service provider is hit by a DDoS attack or some other type of data breach, it can have repercussions for all its customers.

Cybercriminals know that service providers often require access to their customers’ sensitive data in order to deliver the required services. With privileged access to multiple customer environments and trusted to store and protect confidential information, these vendors are prime targets for cybercriminals. Your company can have the Fort Knox of IT infrastructure but still lose valuable data if your vendor’s experiences a breach.

Studies indicate that’s becoming more common. According to the third annual Ponemon Institute “Data Risk in the Third-Party Ecosystem” study, 61 percent of the US companies surveyed reported experiencing the aftermath of a data breach caused by one of their vendors or third parties.

The study also revealed that many breaches go undetected with 22 percent of respondents admitting they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.

This doesn’t mean outsourcing and using third-party vendors can’t be safe. However, it does require extra vigilance and comprehensive security posture that takes into consideration third-party provider risk. The following are tips that can help your company manage and minimize security risks when working with a third-party service provider.

  1. Know your vendors. Assess third-party vendor risk by including all service providers in your company’s risk assessments. Start by listing every vendor, no matter how limited the relationship may be. Those that work with you the most are not necessarily the ones that pose the biggest risk. It could easily be that one small vendor that provides limited services once a year. Review the data your vendors currently have access to and what level of access they really need. Make sure you know where ALL your data is and who has access to it. Set (or revise as necessary) access rights using the principle of least privilege. Determine what effect a hack into the systems of each vendor would have on your company. Employ extra scrutiny for any that pose anything other than a very low risk.  
  2. Evaluate vendors’ security. This is something that should always be done prior to working with any vendor — and throughout the relationship. Ask all vendors to complete an in-depth questionnaire about their security practices and how they handle breaches and other disasters. Follow up with questions and ask for explanations if you aren’t clear on something. If a vendor claims to be compliant with specific industry standards or hold certifications, both of which may entail meeting rigorous security requirements, ask for documentation.   Conduct an on-site visit. Interview the vendor personally based on questions from ISO 27001 or NIST Special Publication 800-53 to get a better understanding of the provider’s security.  Conduct penetration tests and vulnerability scans of your vendors’ network and systems for a deep, technical analysis of their ability to combat hackers.  
  3. Define and document your expectations. Consider what you want your vendors to be held accountable for and work with your legal team to ensure all contracts clearly state these expectations.   Establish key performance indicators for security in your service level agreements (SLAs). The SLAs should set clear expectations for cybersecurity, including mandatory cybersecurity controls that comply, at the very least, with regulatory and industry standards. The SLA should include the right to audit or conduct a security assessment of the service provider’s cyber security practices and compliance initially agreed to in the contract. It should also include what the provider would be held accountable for and the applicable penalties for non-compliance with the agreed provisions.  
  4. Understand your data access lifecycle. If you end a relationship with a vendor, what happens to that vendor’s access to your data and/or systems? If the vendor has any of your data on its systems, who’s responsible for removing it – and making sure it is really removed? Make sure you have a system in place to handle situations in which you part ways with any vendor.  
  5. Encrypt your data. Don’t leave the security of your data to chance. Any sensitive data should be encrypted for data privacy with approved algorithms and long, random keys. Never let your third-party vendors hold or access decryption keys. The data should remain encrypted in transit, at rest, and in use.  

Learn More

For more information about keeping your data secure, wherever it is, contact US Signal. Our solution architects and security specialists can assess your current IT security posture and offer recommendations for implementing a more comprehensive security strategy. Call 866.2. SIGNAL or email us at: [email protected].

You can also take advantage of US Signal’s free eBook.