Threat Intelligence Management
Dark Web Monitoring Threat Intelligence Best Practices
What is Threat Intelligence Management? Threat intelligence management enables companies to understand their threat …
Are you worried about experiencing a data breach through a third party? Wondering how to prevent third-party data breaches?
It’s no surprise. The situation is jaw-droppingly scary, after all.
According to research by the eSentire, for example, in 2019, 44% of companies experienced data breach caused by a third party.
And a Data Breach Investigation Report by Verizon tells us that 62% of all data breaches happen via third-party vendors.
It’s no surprise that more and more businesses wake up to the possibility of a third-party data breach happening to them, too. Many already outsource major aspects of their functions and data to third-party vendors, after all.
And naturally, they’re looking for ways to prevent it from being breached.
That’s what we’re going to cover below. You’ll learn more about third-party data breaches, and we’ll also cover some of the best ways to prevent it from happening to you.
Contents
What are third-party data breaches?
Before we discuss ways to prevent third-party data breaches, let’s cover some basics.
When we talk about a third-party vendor, we mean any external party that the company shares its data with. This could include cloud service providers, marketing agencies, contractors, and so on.
Any external company or vendor you work with and share any data with falls into this category.
A third-party data security breach is an event in which an unauthorized individual or a group of cybercriminals gains access to an organization’s sensitive data through a third-party vendor or partner.
How Do Third-Party Data Breaches Happen?
Well, this can happen in a number of ways.
One is when a third-party vendor that holds your company’s data in their system suffers a breach. Hackers infiltrating the vendor’s systems automatically gain access to whatever data of yours is there as well.
EXAMPLE: In 2021, hackers breached Elekta’s systems, a cloud storage provider. In the attack, hackers also gained access to sensitive patient data of the Oklahoma Cancer Center that was stored on the Elekta servers. In 2014, Home Depot breach was compromised losing over 56 million payment card details when attackers gained access to a third-party vendor’s credentials giving them access to Home Depot’s payment system.
In 2016, a data breach at Dropbox exposed the email addresses and passwords of 68 million users. The breach was caused by a Dropbox employee who had reused their work account’s password on a third-party website that had been hacked. Hackers were then able to use this password to gain access to Dropbox’s network and steal user information.
Here are several other famous examples of third-party data breaches:
Microsoft: In early 2021, Microsoft experienced a major data breach that exposed sensitive information from its Exchange email service. The hackers were able to access email accounts and other data by installing web shells, which are malicious scripts that allow them to execute commands on the compromised server remotely. The web shells enabled hackers to steal sensitive data, such as email messages, contact lists, and calendar entries.
Uber: In December 2022, Uber, the global ride-hailing giant, suffered a third-party data breach due to a compromised vendor. Teqtivity, an IT asset tracking, monitoring, and management service provider, confirmed that a hacker had breached its systems and accessed email addresses and other information belonging to more than 77,000 Uber employees.
SolarWinds: In December 2020, SolarWinds confirmed that its network had been breached, and malware was injected into the software update functionality on its platform. The malware scanned downstream customer networks, detected security tools, and connected back to the attacker’s command and control servers. 18,000 customers were impacted, including government agencies and 14% of the Fortune 1000.
Target: In November 2013, Target, one of the largest retail chains in the United States, experienced a massive data breach that compromised the personal and financial information of approximately 40 million customers. The attackers gained access to Target’s network by using credentials stolen from a third-party vendor, and then installed malware on the point-of-sale (POS) systems to capture credit and debit card information during transactions. The financial impact of the breach was estimated at over $200 million.
Who is liable in a third-party data breach?
In a third-party data breach, liability can fall on both the third-party vendor who experienced the breach and the company that provided the data to them.
The third-party vendor is responsible for securing the data they handle, while the company that hired them could be liable for not ensuring the vendor had adequate security measures in place.
Liability often depends on the contracts between the two parties, which typically outline security responsibilities and risk management.
In some cases, both the vendor and the company can be held accountable for the breach.
10 steps to prevent third-party data breaches
1. Evaluate the vendor’s information security
I admit that this is one of those things you usually think of after the fact. Often, it’s only after you’ve suffered a security incident do you begin to question your vendor’s security strategies. Obviously, a better approach would be to do that before engaging with any third-party vendor.
Conduct a thorough vendor risk assessment of a potential vendor’s security policies and procedures before partnering with them.
Start by requesting that your vendor complete a security questionnaire covering various aspects of their security policies, access controls, and data protection practices. Security certifications, like SOC 2 or ISO/IEC 27001, demonstrate a certain commitment to basic security and operational procedures.
Review your vendors’ track record and reputation, too. Research to determine if they have a history of data breaches or security incidents, and check references from other clients to gauge their reliability.
Maintaining an ongoing relationship with your vendor is vital to ensure they meet your security standards. Conduct periodic security audits or assessments to verify their compliance.
2. Incorporate Risk Management
This can take many forms, of course. The most common option is to incorporate security ratings into your vendor contracts, demanding that vendors maintain a minimum security rating or face contract termination.
You can also include a clause requiring vendors to promptly report and address security issues within a specified timeframe.
Incorporating Service Level Agreements (SLAs) into your vendor contracts can also be effective. SLAs allow you to specify the level of security required of your vendors and to set penalties for failing to meet those requirements.
Including SLAs in your contracts can enhance your control over vendor cybersecurity risk management and help safeguard your organization’s sensitive information.
3. Segment Your Network and Test
Network segmentation splits up your network into multiple smaller networks.
The advantage to this approach is that you can implement finer access controls on who can access each segment than if the network was flat.
This is an extremely important step to help contain a breach when it occurs.
After segmenting your network and applying the appropriate security controls, it’s important to conduct a penetration test to verify that the network is secure.
Pen testers will use the same tools and methods that hackers use to gain unauthorized access to your network. After implementing the recommendations from their report, consider running an “Assumed Breach” exercise.
Red teams can simulate what an attacker can do once they’ve gained access to your network. This is when having a properly segmented and locked-down network will prove invaluable. Proper segmentation ensures that even if attackers breach one part of the network, they are contained and prevented from moving laterally to access other sensitive areas.
4. Limit Data Sharing
Sharing data with third-party vendors is a necessary part of many business operations.
However, it’s important to be cautious when sharing sensitive information, as it increases the risk of data breaches. To minimize the risk, organizations should assess what data needs to be shared and with whom.
Sharing too much data can put an organization’s sensitive information at risk.
For example, vendors may only require access to one or two servers or databases but get more access than necessary. This practice can enhance efficiency for the vendor but can also increase the likelihood of a third-party data breach.
To address this issue, Vendor Privileged Access Management (VPAM) is an approach that can limit and contain vendor permissions while also granting them sufficient access to fulfill their contractual obligations.
By implementing VPAM, businesses can reduce the risk of data breaches and maintain control over their sensitive information.
It’s important to remember that sharing data with third-party vendors should be minimized to the amount necessary for them to perform their intended role.
5. Keep Documentation
Maintaining comprehensive records of third-party management is crucial for several reasons.
Firstly, it enables you to monitor the security posture of your suppliers over time, allowing you to assess their security practices and track any changes or potential security risks.
Secondly, documentation aids in ensuring proper cyber hygiene, including timely patch management and regular testing.
Lastly, documentation plays a pivotal role in compliance, serving as an audit trail that demonstrates the implementation of a robust third-party security risk management process.
By maintaining documentation, you can mitigate the risk of data breaches by ensuring that essential maintenance tasks are completed and using it as evidence that your organization has taken necessary measures to prevent such incidents.
In a nutshell, keeping documentation provides assurance that your organization has proactively managed third-party risks and taken steps to protect sensitive information.
6. Take Into Account Fourth-Party Risk Supply Chain Attacks
Fourth-party risk is the risk that arises when your company’s suppliers outsource parts of their operations to other suppliers, thereby creating a chain of suppliers.
To identify potential threats with fourth-party risks, you can use your vendors’ System and Organization Control (SOC) reports.
The responsibility of vendor risk management, including fourth-party risk, lies with your information security team (just as it does for third-party risk management).
Even if a third party provides additional security, your company is still accountable for implementing a comprehensive attack surface management strategy to avoid regulatory, financial, or reputational consequences from a fourth-party data breach.
7. Stop Working with Unreliable Vendors
When managing third-party risks, it’s crucial to have a clear plan for cutting ties with unreliable vendors. This means identifying when a vendor is not meeting your standards or is at risk of a data breach.
Terminating a relationship with a vendor may be a difficult decision, particularly if they provide critical services. However, the potential consequences of a data breach or loss of sensitive information far outweigh any benefits of working with an unreliable vendor.
Therefore, it is essential to have a contingency plan in place to ensure that the termination of a vendor relationship does not cause any disruption to your organization’s operations. This plan should involve finding alternative vendors or in-house solutions to replace their services.
8. Implement Strict Password Policies and Multi-Factor Authentication
According to the Verizon Data Breach Investigations Report, most cyber attacks result from passwords that are either weak or compromised. The probability of credentials being exposed on the dark web increases when the same password is reused across multiple accounts.
Implementing strict password policies and requiring multi-factor authentication (MFA) for vendors accessing your systems is essential if you want to avoid that.
To implement strict password policies, start by setting requirements for password length. According to the OWASP ASVS, passwords should be at least twelve characters long.
In addition to password policies, multi-factor authentication adds an extra layer of security to vendor access. Multi-factor authentication requires vendors to provide additional authentication factors beyond just a password, such as a fingerprint, a token, or a one-time code sent to their mobile phone.
This reduces the risk of a potential data breach even if they have a vendor’s password.
Having said that, even secure passwords and session tokens are often leaked on the dark web. Continuous monitoring of your users’ and vendors’ leaked data enables your security team to prevent a breach before the data is exploited.
9. Train Employees on How to Identify and Report Suspicious Vendor Activity
One of the key steps to preventing third-party data breaches is to train employees on how to identify and report suspicious vendor activity.
By educating your employees on how to recognize and report suspicious activity, you can create an additional layer of protection against third-party breaches. This can include training on how to identify phishing emails, social engineering attacks, and other forms of cybercrime
It’s also important to have clear protocols in place for reporting and investigating suspicious activity.
This can include establishing a clear chain of command and outlining the steps to be taken in the event of a security incident. By involving employees in this process, you can create a culture of security awareness and reduce the risk of third-party data breaches.
While employee training can go a long way toward securing your systems, human error can still leave your organization vulnerable to attack. It’s important to implement technical controls to prevent humans from making bad decisions.
10. Have a Clear Incident Response Plan
In the event of a third-party data breach, it’s critical to have a well-defined data breach response plan in place to respond quickly and effectively to the situation.
The response plan should outline the roles and responsibilities of the incident response team, the steps to be taken to contain the breach, and the process for notifying affected parties.
To create an incident response plan, identify potential security incidents that could impact your organization. This should include third-party breaches as well as other types of cyberattacks, such as phishing scams, malware infections, or ransomware attacks.
Regular testing and updating of the incident response plan is crucial to ensure that it remains effective and up-to-date. The plan should be reviewed and updated at least annually, as well as after any major changes to the organization’s infrastructure or vendor relationships.
How Breachsense can help you prevent third-party data breaches
Breachsense is a data breach monitoring solution that can alert you in real-time when your user’s or vendor’s credentials appear in a data breach on the dark web. This enables your security team to reset the stolen credentials before hackers can exploit them.
Breachsense provides flexible integration with virtually any application, SIEM, or browser, making it easy for businesses to implement the service into their existing security tools.
With over 30 billion breached credentials and growing, Breachsense has the data and expertise to help organizations of all sizes and industries prevent account fraud.
