A company may have the most intelligent approach enveloping each and every facet of your business structure, but as soon as your data is transmitted to a third party you lose control over it. Even if a company is reputable and you’ve signed all the papers, you’re not protected from employee negligence or fraudulent attempt which could take place within the other company’s perimeter.
Phineas Fisher, a famous hacker, has recently mentioned mining and livestock companies in South Africa alongside other organisations, mainly banks and oil companies, as the hacktivists’ targets. He is willing to inspire others showing them the power of a data breach and reward diligent offenders for data leaks.
The adherent of public interest hacks already compromised surveillance vendors, affected the police, a politic party and a bank claiming the bank’s activity was unlawful – he shared the corporate emails with everyone as well as the money which he stole from the bank.
The news came as a reminder of knowing little about the companies we give our data to. We don’t know if the third-party business we work with has all the policies and mechanisms in place to prevent an attack or ensure business continuity.
You can’t control a third-party organisation as if it was your own, but you can demand clarity and transparency concerning those areas of activities which involve and might affect your corporate data:
Ponemon Institute has conducted research on a third-party data breach issue. In 2016, 49% of companies were affected by a breach due to a contractor, whereas in 2018, there were already 59% of businesses affected indicating the same reason.
The Privileged Access Threat Report 2019, prepared by BeyondTrust, demonstrates that access rights management program and data audit requires enhanced measures.
According to the report, 58% of respondents are sure that they were breached due to third party vendors’ access. A year ago the number of third party vendors which could access organisations’ IT systems reached 75%. 1 in 8 businesses with more than 5,000 staffers employed aren’t even aware of how many vendors access the network remotely in a specific period of time.
Preventative measures needed
As PwC reports, an impressive number of companies have no preventive measures from third-party breaches. Taking into consideration the abovementioned we see that the situation is nearly critical.
Make sure that third parties can’t connect to the assets within your company’s network. Combative network security is crucial as it alleviates the risk of unauthorised access. If a company’s threat mitigation program lacks network segmentation, an organisation is exposed to incidents in case a contractor is breached.
It is important that only the data which is required for work performed by third parties is available to them and nothing which is beyond their responsibilities is exposed. Even if the information isn’t related to the tasks third parties implements but is available in front of them, it becomes automatically obtainable.
Internal audit should be conducted as an ongoing process in order to monitor deviations from the agreed terms of working, including the amount of data allocated for the third party’s use.
It is a company’s job to take care of corporate information allotted to a contractor, as they are responsible for task completion, not for information safety, thus, their security measures aren’t part of your agreement and might differ considerably from those introduced in your company.
You have the right to evaluate a third party’s controls and policies relevance which is within the scope of your agreement and conform to the controls and regulations introduced in your company.
The surveillance is obligatory, continuous monitoring procedures of the number of vendors accessing particular systems should be established. Since the access is controlled, the accounts created for the third parties are visible and can be managed.
It is also important to protect both internal and external perimeters - audit of database queries (any databases storing confidential data) is a must, especially considering access from outside, for example, in a corporate CRM.
Healthcare industry can serve an illustration of the consequences of a third-party breach. The largest clients refused to continue working with AMCA (American Medical Collection Agency) due to the breach of personal data which compromised details, including names, dates of birth, provider and balance information, of 20 million U.S. citizens. AMCA, third-party provider of billing services, didn’t manage to safeguard the data of major healthcare organisations’ clients. The information was exposed from August 2018 until March 2019. The company went bankrupt and announced about it shortly after the incident was discovered.
According to the report made by Gurucul security company, 74% of respondents admit to limiting access granted to third parties - representatives of finance and retail sectors account for 80% of those who narrowed down access rights due to third-party leakage risks.
