While your organization may have its cyber-security protocols buttoned up using best practices, there is a growing risk to businesses from tech vendors that are used to run their operations.
According to the 2023 SecurityScorecard “Global Third-Party Cybersecurity Breaches” report, 98% of organizations have a relationship with a third party that has been breached and 29% of all breaches were attributed to an attack on a third party outside of the organization.
The findings reflect the growing risk to businesses as they use more third party apps, software and cloud services, some of which have access to troves of important company data.
Also, the costs of a cyberattack on a company’s vendor are often 40% higher than the cost to remediate an internal cyber-security breach.
The findings shine the spotlight on the growing risks from interconnectivity in digital supply chains and vendor relationships that affect virtually all businesses, in particular those that:
- Rely on tech vendors that keep day-to-day operations running.
- Entrust confidential information on clients and employees to a third party vendor.
- Use outside vendors for specific goods and services.
Another survey by the cyber-security firm OneTrust found that:
- 71% of organizations use more outside technology vendors than they did three years ago.
- 73% of businesses have experienced significant disruption caused by a third party, whether it be a data breach or ethical violation.
- 73% say outside vendors have more access to company data than they did three years ago.
- 80% have expanded their third party due diligence questionnaires in recent years.
Examples of third party relationships that may pose risks
- File transfer software
- Client management software
- Business management platforms
- Cloud services
- Hosting provider and external platforms
- Security software
- Outsourced software development
- Facilities management software.
Third party breach examples
The crash. An online store uses a cloud provider to run its business and an outage causes its website to crash, preventing orders from being fulfilled.
Effect: Contingent business interruption (coverage for third party events), in addition to other expenses and costs.
The backdoor attack. A vulnerability in software that connects to a company’s servers turns out to be a backdoor for attackers who install malicious code on the firm’s network.
Effect: The vendor attack could lead to business interruption and additional expenses.
The payroll vendor breach. The payroll company an employer uses suffers a breach, potentially exposing confidential information of clients and/or vendors.
Effect: This could constitute a privacy incident, potentially requiring notification to affected individuals and companies.
What you can do
As attacks on third party vendors continue to increase, it’s important you understand your firm’s third party risks, and how to measure and manage those risks.
Besides strengthening internal cyber-risk protocols, you should consider doing an analysis of your third party risks. While this will vary depending on the business and its industry, here are some ways you can get a better handle on your company’s vulnerabilities:
- Determine which vendors are critical to your operations. For the most critical, you can also determine which suppliers or providers your vendor uses.
- Define and quantify your risk with each third party tech vendor you use, to help you identify the damage to your organization should they suffer an attack that compromises their systems, and subsequently, yours.
- Create an incident response plan that maps out what steps your organization can take in case a vital vendor goes down. Test the plan against different types of scenarios and determine how you would respond. You should allow not only your IT people, but also the rank and file that use these systems to test the plan’s effectiveness.
- Verify that your critical vendors carry cyber-insurance coverage that would address losses your firm may endure if they suffer an event.
Insurance
To ensure that you are not left footing the bill for these types of incidents, review your cyber-insurance policies to see if they cover attacks or incidents on third parties that your firm uses. Call us for a review.
