It has been a bad time on the cyber-security battlefront.
In recent days, we learned that a 2013 data breach at Yahoo was underreported. The reality: every single user, all three billion of them, had their information compromised.
Watching the watchman, over at the Securities and Exchange Commission, it announced that an incident previously detected in 2016 provided the means for illicit trading gains. A software vulnerability in the test filing component of the Commission’s EDGAR system was exploited and resulted in access to non-public information.
And, of course, there was the headline-feeding revelation that a massive data breach that hit consumer credit rating firm Equifax, potentially exposed the personal information of 143 million customers.
While each of these parties struggles with internal investigations and external scrutiny, the rest of the corporate world needs to be on their guard. We look at three ways the recent breaches should resonate with all companies that are serious about compliance and cyber-security.
Given the regulatory refrain that companies inherit the sins of their third parties, intriguing (and frightening) risk dilemmas emerge.
Where the Equifax breach can get really scary is that its partner companies need to assess whether when their customers’ data was similarly compromised.
As for the SEC, given that its collection of confidential, soon-to-be material data shared through EDGAR’s pre-filing functionality was compromised, it may be wise to think of it as a third party and not just a regulator.
These incidents all shed a light on the broader picture of third-party data risks. A recent study, released in September, underscores the dangers.
Opus, a provider of global compliance and risk management solutions, partnered with the Ponemon Institute for a study, “Data Risk in the Third- Party Ecosystem.” It uncovered the security risk companies face when sharing sensitive information with third parties.
Among the findings: 56 percent of businesses have had a third-party data breach (a seven-percent increase from last year); 84 percent lack a complete inventory of third parties; 63 percent don’t know when a third party shares data with a fourth party.
The survey also found that 42 percent of companies experienced cyber-attacks against third parties that resulted in the misuse of their company’s sensitive or confidential information.
“It is critical for organizations to actively manage their third-party interactions by implementing standard processes, including inventory and policy review and documentation, senior leadership, and board member oversight, as well as other safeguards to reduce their vulnerability.”
Dr. Larry Ponemon, The Ponemon Institute
The survey found that the effectiveness in managing third-party risks remained low. Fewer than one-in-five companies (17 percent) felt their organizations effectively managed third-party risk. Less than half of all respondents agreed that managing outsourced relationship risks is a priority in their organization.
A key deficiency identified in the study was that “companies lacked visibility into their third-party relationships.” More than half of the respondents said they do not keep a comprehensive inventory of all third parties with whom they share sensitive information. Only 18 percent of respondents know how external parties access and process data.
“Cyber-criminals continue to target weak links because companies are failing to successful manage risk,” says Dov Goldman, vice president of innovation & alliances at Opus. “Smart companies are learning from those that have implemented clearly defined third-party risk management programs supported by good governance and robust technology."
The study identified a strong correlation between implementing governance and IT security practices and a reduction in third-party data breaches. These practices include:
Evaluating security and privacy practices of all third parties.
Supplementing contractual agreements with audits and assessments.
Creating an inventory of all third parties with whom information is shared.
Ensuring oversight by board of directors, facilitated by regular reports on the effectiveness of these programs based on the assessment, management, and monitoring of third parties.
Organizations whose board of directors requires assurances that third-party risks are effectively being managed were 10 percent less likely to experience a breach, the report says.
“It is critical for organizations to actively manage their third-party interactions by implementing standard processes, including inventory and policy review and documentation, senior leadership, and board member oversight, as well as other safeguards to reduce their vulnerability," says Dr. Larry Ponemon.
Do you understand your holistic population of third parties? That is among the crucial questions a company much ask, according to Daniel Maloney, senior manager at Accenture and an expert in third-party risk management. What data is accessed and by who? Is there a segregation of duties and controls? Who has access to servers? Why do they have access? Why do they need this data? Are they collecting too much data?
DATA BREACH STAT
Below, respondents to a Ponemon Institute poll answer a third-party data breach question.
Source: Ponemon Institute
“A third party is basically anyone you have a contract with,” he says. “It is not just vendors or people you pay. It is anyone who you might be doing business with. It includes anyone working on commission, debt collectors, charitable organizations, marketing partnerships, joint ventures, and things like that.”
“You need to understand your third parties,” Maloney adds. “You need to understand which ones have access to your data. Once you understand, for example, that 2,000 out of 10,00 parties have access to your data, then you need to understand where that data is, including which country because each one has different data regulations.”
With that roadmap, it is time to ensure that those parties have proper controls.
Maloney says most companies do a good job initially. Where they start to fall flat is the ongoing maintenance and monitoring of those third parties. “In year three, four, or seven of the contract, are the controls still up to speed, or have they not kept up with the times? Controls, even three years ago, did not even take into account cyber-security,” he says.
A risk-based approach to assessing the inventory of third parties is another priority. “A cloud computing vendor is going to be treated differently than an office supply vendor you buy pens from,” Maloney says. “A particular firm may have no access to data but is critical to the business. You might, in that case, care more about business continuity and financial liability.”
A company, based on its size and influence, may consider being a cyber-security evangelist to its family of partners. Relationship management, when it comes to information security, can be vital.
“A lot of third parties and vendors are very small companies,” Maloney says. “When you want to go and review their cyber-security and information-security policies you are actually telling them things that also help yourself. Yes, you are protecting your data, but you are also helping them because they may not have the resources, skills, or breath of knowledge needed to know what they are missing. Treat them more as a partner and you help them as well as yourself.”
“The big thing is understanding third parties, understanding who has access to data, and where their risk exposure is, from a data perspective or not,” Maloney says. “It may be geopolitical or maybe reputational, but understand that risk exposure and where it is coming from. Make sure that when you review your third parties you do it initially and then on an ongoing basis that corresponds to the risk of the activity, knowing that the risks may change over time. You could have somebody critical today who becomes non-critical tomorrow, or vice versa.”
As for regulators who collect data, “treat them just as you would anybody else,” Maloney says. “You have a program and should do the same things for everybody; you shouldn’t do anything different.”