Third-parties are a necessary part of most organizations’ business. They often provide crucial services — like billing, data storage, or sometimes mission-critical services — becoming an indispensable part of a company’s extended enterprise.
Unfortunately, this also makes third parties, like vendors, partners, and suppliers, a target for cyber criminals. Third-party breaches are becoming increasingly common. A recent survey conducted by the Ponemon Institute and publicized via Security Boulevard, found that 53% of organizations have experienced one or more data breaches caused by a third-party, costing them an average of $7.5 million to remediate.
What is the impact of a third-party data breach?
While the fiscal impact is well-documented, third-party data breaches are about more than simply the dollar cost of a cyber attack. Below are five ways third-party data breaches can affect your business.
1. The financial impact
Data breaches are expensive no matter which party is breached. According to Ponemon’s Cost of a Data Breach report, the average data breach costs $3.92 million, and the average cost per lost record is $150. That’s just the average, however. There are factors that can cause that number to rise. One of those cost amplifiers is who caused the breach. If a third-party is involved, a breach costs more. According to the report, if a third-party causes the data breach, the cost tends to increase — by more than $370,000, for an adjusted average total cost of $4.29 million.
The reasons behind the cost of third-party breaches differ depending on the situation and the companies involved. But the cost of a third-party data breach may stem from hidden costs — such as having to find another provider while your mission-critical vendor is compromised — as well as the usual monetary damages and legal fees of a normal data breach.
2. The legal consequences
When the American Medical Collection Agency (AMCA), a billing agency that served as a third-party provider for large healthcare providers across the U.S., was breached in 2019, millions of patients’ records were exposed. The breach placed the AMCA and its clients in violation of HIPAA. While the breach was devastating for the organization that suffered it — AMCA lost its biggest clients and filed for bankruptcy — it also exposed its clients to costly class action lawsuits and state investigations.
The moral of the story: if your third-party suffers a data breach, you can (and probably will be held liable) for any customers’ records that are exposed as a result of the breach.
3. The exposure of your proprietary information
Cyber criminals aren’t just after funds or customers’ information. They might be after your intellectual property. Take the examples of DoppelPaymer, a data-stealing ransomware, or REvil ransomware, two ransomwares that lock a company out of its data and then threaten to sell the data if the ransom isn’t paid.
DoppelPaymer targets vendors in the space and defense industry, and lists exposed proprietary data on its website to shame the organizations that haven’t paid up. This is an embarrassing and costly problem for any organization, but may be the end of any company that thrives on innovation.
4. The potential for future attacks
When cyber criminals access your data through a third-party, that breach may not be their endgame. It may simply be the opening shot in a larger campaign of hacks, attacks and breaches, or the information stolen might be intended for use in phishing scams or other fraud.
Take the example of a large corporation that was breached through a third-party service provider in early 2020. Cyber criminals gained access to personal information, but didn’t touch the corporation’s systems at all. That information might be used in later attacks.
5. The damage to your reputation
Unfortunately, when it comes to breaches and exposed records, it doesn’t matter if your vendor is at fault, or if it’s your own fault. What customers will remember is that they trusted you with their information and it was later exposed or stolen. If the breach is dire enough, they may think twice before doing business with your organization again.
How VRM can help reduce the impact or possibility of a third-party data breach
Vendor risk management (VRM) is the monitoring of third-party operations in order to protect your organization from a potential breach. This can be achieved through a number of third-party risk management tools (TPRM) such as vendor risk questionnaires, continuous monitoring, and API integrations.
By taking proactive steps and using these tools, an organization’s risk of a third-party data breach is decreased. If a breach does occur, the impact is lessened. TPRM tools also work to streamline efforts, providing organizations with more time and resources to help better enable organizational success.
How SecurityScorecard can help mitigate third-party data breaches
The best way to protect yourself against a third-party data breach is by doing your due diligence when it comes to your vendors, a process which takes time and energy. To reduce the amount of administrative time and effort spent managing third-party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Security Assessments uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload vendor responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
