Posted on Aug 13, 2020
Third parties are a necessary part of most organizations’ business. They often provide crucial services — like billing, data storage, or sometimes mission-critical services — becoming an indispensable part of a company’s extended enterprise.
Unfortunately, this also makes third parties, like vendors, partners, and suppliers, a target for cyber criminals. Third party breaches are becoming increasingly common. A recent survey conducted by the Ponemon Institute and publicized via Security Boulevard, found that 53% of organizations have experienced one or more data breaches caused by a third party, costing them an average of $7.5 million to remediate.
What is the impact of a third party data breach? While the fiscal impact is well-documented, third party data breaches are about more than simply the dollar cost of a cyber attack. Below are five ways third party breaches can affect your business.
Data breaches are expensive no matter which party is breached. According to Ponemon’s Cost of a Data Breach report, the average data breach costs $3.92 million, and the average cost per lost record is $150. That’s just the average, however. There are factors that can cause that number to rise. One of those cost amplifiers is who caused the breach. If a third party is involved, a breach costs more. According to the report,If a third party causes the data breach, the cost tends to increase — by more than $370,000, for an adjusted average total cost of $4.29 million.
The reasons behind the cost of third party breaches differ depending on the situation and the companies involved. But the cost of a third party data breach may stem from hidden costs — such as having to find another provider while your mission critical vendor is compromised — as well as the usual monetary damages and legal fees of a normal data breach.
When the American Medical Collection Agency (AMCA), a billing agency that served as a third party provider for large healthcare providers across the U.S., was breached in 2019, millions of patients’ records were exposed. The breach placed the AMCA and its clients in violation of HIPAA. While the breach was devastating for the organization that suffered it — AMCA lost its biggest clients and filed for bankruptcy — it also exposed its clients to costly class action lawsuits and state investigations.
The moral of the story: if your third party suffers a data breach, you can (and probably will be held liable) for any customers’ records that are exposed as a result of the breach.
Cyber criminals aren’t just after funds or customers’ information. They might be after your intellectual property. Take the examples of DoppelPaymer, a data-stealing ransomware, or REvil ransomware, two ransomwares that lock a company out of its data and then threaten to sell the data if the ransom isn’t paid.
DoppelPaymer targets vendors in the space and defense industry, and lists exposed proprietary data on its website to shame the organizations that haven’t paid up. This is an embarrassing and costly problem for any organization, but may be the end of any company that thrives on innovation.
When cyber criminals access your data through a third party, that breach may not be their endgame. It may simply be the opening shot in a larger campaign of hacks, attacks and breaches, or the information stolen might be intended for use in phishing scams or other fraud.
Take the example of a large corporation which was breached through a third party service provider this past February. Cyber criminals gained access to personal information, but didn’t touch the corporation’s systems at all. That information might be used in later attacks.
Unfortunately, when it comes to breaches and exposed records, it doesn’t matter if your vendor is at fault, or if it’s your own fault. What customers will remember is that they trusted you with their information and it was later exposed or stolen. If the breach is dire enough, they may think twice before doing business with your organization again.
The best way to protect yourself against a third party data breach is by doing your due diligence when it comes to your vendors, a process which takes time and energy. To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload vendor responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.