Companies of all sizes are doing a good job beefing up their cybersecurity and that’s great. But… many are forgetting an often overlooked target – their third party service providers.
Any company that uses a third-party CRM software or an outside a server with access to sensitive or confidential data, could be risking a data-leak. Investigating the security of your third party provider is extremely important.
In February 2018, security researchers reported that a Walmart third-party vendor Limogés Jewelry exposed confidential data, emails and passwords for over 1.3 million customers. That data also included records for retailers such as Amazon, Overstock, Sears, Kmart and Target.
Most companies are not prepared for this type of breach and have a tough time understanding their third-party vendor risk because:
- They don’t have the staff to review all their third-party vendors.
- They may not know who all their third-party vendors are.
Surprisingly, the move to SAAS (Software as a Service) tools/platforms has, in some ways, reduced the security posture of some companies. SAAS tools allow third party providers to host applications on the internet so they are readily available for customers. Since it’s “easy” as using a credit card to buy a new SAAS tool, the number of third-party vendors has increased. For example, if different departments in a company aren’t getting what they need from the internal technology team, they could purchase a third-party solution and send their data to the vendor.
However, before you know it, the company’s data has been sent to multiple vendors who have very different security postures, or they may not be as secure.
In 2018, Ticketmaster had a security breach when the third-party support chat tool they were using was hacked and attacker exploited its vulnerabilities.
So how can your company prevent a data breach through a third-party vendor?
- Educate and train your staff about your company’s vendor evaluation process.
- Review the security measures of the vendors and understand the data and the amount of access they will have.
- Ensure Compliance – If your company must meet a compliance standard e.g. GDPR, HIPAA, PCI then verify that your vendor also has the same compliance and certifications in place. All companies will claim to be secure but if they are certified it means they went the extra step and invested in their security. If possible, look for companies that are SOC-2, HITRUST certified.
- Keep a record of all third-party vendors and review them often.
Remember you are only as strong as your weakest link and not knowing about the link doesn’t really work as a security strategy.
At Accorian, we have helped companies of all sizes answer those questions by providing them with a security roadmap that successfully managed the risk of their third party vendors.
We can provide the same services to your company, so contact us today and let’s get started.