65% of Breaches Caused by a Third Party – How Well Do You Know Yours?

Hardly a day goes buy without a new headline about a high profile breach.  Pick up a local newspaper, or the NY Times or simply spend a few minutes on your LinkedIn thread and you’ll find news about Target, Home Depot and Wendys to name a few.  What a headache for these organizations to deal with.

So, how well do you really know your third party vendors?  Have you asked the right questions about risks, exposures, access, etc?

Regarding the companies mentioned above, they all have a common link – Their breaches were ultimately tied back to a third party.  In 2014, Troy Leach, CTO for the PCI Security Standards Council, referenced a study that stated approximately 65% of breaches were traced back to a third party.

65% of breaches caused by a third party – let that sink in.

With organizations looking to enhance their online offerings, becoming more dependent on technology, and being asked to do more with less, many institutions are turning to third party vendors to help.  Their solutions can help supplement internal staff members and provide efficiency.  However, while they may offer many benefits, granting access to your company’s internal network introduces new risk and avenues of compromise.

Many organizations feel helpless in regards to their vendors and the possibility of their vendor being breached.  While there is no silver bullet to prevent a third party vendor breach, there are steps your organization can take to mitigate the risk.

Below are some tips to take into consideration when working with a third-party vendor that will have access to your network:

• Perform thorough due diligence, including reviewing the vendor’s SSAE-16/SOC reports and penetration test results.
• Understand the required level of access the vendor needs and ensure their account has the least privileges required to perform their job.
• If after-hours work will not be required, consider setting up time-based restrictions on the vendor’s network account and VPN connection.
• Utilize strong passwords for all vendor accounts.  Rebyc Security recommends using at least 15 character passwords for all external vendor accounts.
• Consider implementing a multi-factor authentication solution for all vendor accounts that have internal network access.
• Ensure your contract gives your organization the right to audit your vendor. An audit can give your organization assurances that the vendor is performing their services and operations as expected.

If you have questions, we can help.  Contact us for a free consultation where we can discuss your current information security challenges.