In today's interconnected business world, it's common for companies to share various data with vendors. Maybe your company shares customer data with marketing companies. Maybe you share data with a company that handles billing and payment processing. Maybe you outsource deliveries to another company that has to access your sales data.
Perhaps you don't share data with other companies but do allow them access to your systems. Are your physical security systems monitored by a third party? What about your HVAC systems? Who manages your internal network or Internet access?
A 2019 eSentire survey found that 44% of all firms surveyed had experienced a significant data breach caused by a third-party vendor. Third-party data breaches can occur when your data is stolen from their systems or when their systems are used to access and steal data stored on your system. It's even possible that the vendors you use can be exploited to access your data.
What should your company do if it experiences a data breach caused by a third-party vendor? There are several important steps to take.
Stop the breach - at both companies
The first thing you need to do when you discover a data breach caused by a third-party vendor is to stop it as quickly as possible. According to an IBM study, it takes an average of 197 days for a company to identify a data breach—and another 69 days to contain it. You'll need to have your incident response team collaborate with staff at the third-party vendor to isolate and stop any ongoing breach.
A speedy response is imperative; the faster you stop the breach, the less money you'll lose. If you can stop the breach in less than 30 days, you'll save over $1 million more than you will if you let it go on longer. It's that simple.
Beef up your cybersecurity
Next, you want to take steps to ensure that a similar data breach doesn't occur in the future. This starts with determining just how—and where—the breach occurred.
If the breach occurred solely at facilities of the third-party vendor, you need to evaluate what data you share with that vendor. You should also work with the vendor to beef up its data security to meet your company's standards.
If the attack breached your data through your vendor's systems, then you need to reevaluate your company's network security. For example, the 2013 breach of Target's POS systems, which resulted in the theft of more than 40 million credit card records, stemmed from a hack of one of the retailer's vendors. To avoid similar breaches, you need to implement network segmentation and firewalls that reduce the risk of unauthorized access from outside your company's network.
Create a vendor risk management plan
To reduce the risk of future breaches caused by one of your third-party vendors, your company needs to create a comprehensive vendor risk management plan. This is a program that outlines the services and data that vendors can access, how that access is managed and monitored, and what happens if a vendor's systems—and your data—are breached. It also details who is liable if a data breach does occur.
This vendor risk management plan needs to be applied retroactively to all your current vendors, and your relationships with those vendors should be reevaluated on a continuing basis. All new vendors need to be consulted in regard to the plan and agree to all provisions. The plan can't completely eliminate the risk of a future breach, but it can substantially reduce your company's risk.
Should you fire the third-party vendor?
After you've cleaned up the mess caused by the third-party data breach, you face another question—should you continue doing business with the vendor?
Some companies want to maintain what in many cases is a long-established relationship. Starting a relationship with a new vendor is costly and time consuming. The breach was a one-time event, after all, and the vendor will have learned a lesson and beefed up their security. Finally, there's no guarantee that whoever you choose to replace that vendor will have a better system in place.
Other companies believe in severing the relationship, especially if the breach was particularly egregious. It may be difficult to continue working with a vendor that cost your company millions of dollars and untold amounts of goodwill. If the vendor wasn’t properly protecting your company's data and systems, there's no guarantee they're going to be any better in the future. Your relationship with the vendor may have become irreparably stained in dealing with the incident.
Maybe your company has been unhappy with this vendor for some time, and this is just the (very big) straw that severs the relationship. Perhaps your company is under pressure from customers affected by the breach and you have to bow to that pressure.
Though there are good arguments for both keeping and dropping a vendor involved in a data breach, management needs to decide the best approach for your company.
How we can help
SecurityScorecard can help you identify and mitigate your risk from third-party vendor breaches with our free instant security scorecard. We'll give you an outside-in view of what a hacker sees so that you can prevent attacks before they ever happen.