Four steps to prevent the next third-party data breach
Four steps to prevent the next third-party data breach

by SecureLink on October 18, 2018

Way back in 2018, the Department of Defense (DOD) reported a data breach that affected at least 30,000 military and civilian personnel. Let’s take a stroll down memory lane to look at what happened in this data breach: hackers gained access through a third-party contractor that maintained travel records for the department. The breach compromised highly sensitive data including personal and financial information. Included in that was travel records, which are particularly delicate because this information can provide bad actors with detailed employee itineraries and all the way down to their airplane seat number.

Unfortunately, this public sector breach should not have been a surprise. However, over two years after this data breach and we’re all still seeing the same headlines about new data breaches plaguing companies, and the public sector and government entities are no different. Back in 2018, it was noted that the issues related to this were: they weren’t proactive about preventing cyberattacks, they had poor password management, and they lacked encryption. But, even if the DOD had in-place many of these best cybersecurity practices for its own organization, a network is only as strong as its weakest link. In this case, the DOD didn’t secure their third-party vendor vulnerabilities. And here we are, two years later, still talking about data breaches that stem from a third parties access.

Can we learn from past mistakes?

It’s well past the time when all government entities, agencies, and anything in between takes notice and addresses the huge risk that third parties and vendors are to their cybersecurity position. It’s widely known and accepted that government, nonprofits, and the private sector entities usually have a phrase of “do more with less.” What that means is that quality, productivity, and turnaround time need to continue to improve, but budgets aren’t usually at that same level. So, like most companies, many of these organizations rely on using third parties or vendors to make this all possible.

However, as we can all see from the headlines of data breach reports is that usually the relationship between an enterprise and a vendor isn’t properly managed. This is because service providers are now firmly in the cyber criminal’s crosshairs because more often than not, vendors are given privileged credentials and access to multiple customer environments and are inherently trusted to store and protect confidential information. So, cybercriminals view service providers as treasure troves. This should come as no surprise to you since everything seems to be influenced by vendors– Marriot, TikTok, nearly every company, and, of course, Target. Here’s the thing– if you aren’t even allowing all internal employees to have privileged access, why are you allowing a vendor company, whose reps and techs you don’t hire or fire?

So yes, we can learn from our past mistakes, but learning is just the beginning. Each and every organization must take the necessary steps to protect themselves, their customers, their data, and their reputation.

Four steps to keep your organization safe

Let’s face it, the relationships between vendors and enterprise organizations aren’t going away, especially in the government sector. So, let’s look at ways organizations can reduce their exposure through some key best practices:

Make cybersecurity the priority: In all strategic planning, policies, and procedures it can’t be a sub-bullet, add-on, or afterthought. Along the same lines, the responsibility should not be housed in a stand-alone department. Cybersecurity is every employee’s business. Some of this is common sense, such as not opening attachments on emails, guarding and changing passwords, and ensuring encryption is the standard. The important thing is to also ensure that you’re not only paying attention to internal resources when thinking of cybersecurity. Everyone you work with, whether it’s a technology vendor or a contractor for writing, lives up to the same standards you have put in place for your company.
Perform due diligence: Ensuring you do your research before the selection of vendors is critical. At the top of the list must be their security policies and capabilities. Did you know that 61% of data breaches are attributed to a third party or vendor? How can you be sure that the vendors, suppliers, partners, and consultants you work with have the right security in place to prevent an attack from infiltrating your system? Without clear visibility into remote networks and third-party systems, it can be hard to know if a current or potential vendor may be vulnerable or compromised. This checklist helps you identify possible red flags so you can take steps to protect your network from cyberattacks and other threats to your data. And this shouldn’t only happen when you’re employing new vendors. You should, ideally, check in on your vendors and their different protocols monthly or quarterly.
Maintain complete access control: Remember, you hired a vendor company and not their different reps, so it’s important to have complete control all the way down to the individual. Utilize vendor access management tools that restrict users’ access to only the systems and activity needed.
Audit all user activity on your network: This will provide vendor accountability, ensure regulatory compliance, and provide an early-warning system of emerging vulnerabilities. Instead of pointing the fingers at all vendor companies you work with, you will be able to say what vendor company and what rep caused the issue. This takes the guesswork out of the breach or cyberattack.