Date: 18 Feb 2020
The CISO Conundrums, Part 3: Third-party Ecosystem & Risks
The spate of data breach incidents around the world involving third-party vendors has been threatening businesses beyond cost damages.
In Part 3 of our 4-part “The CISO Conundrums” series, we explore third-party ecosystem and risks, one of the greatest challenges a CISO can have as part of their business role within an organisation.
There’s a paradox to access management when it comes to third-party vendors. On one hand, companies give vendors privileged access to corporate resources so that vendors can do what they do best with lesser restrictions, increasing efficiency. On the other hand, if the right balance isn’t struck, relinquishing too much access impacts security and increases likelihood for a breach.
Inappropriate or lax third-party privileges have been a cause for hackers to wreak havoc. A case study example is the massive Target breach in 2013. Hackers had managed to access the retailer’s point-of-sale terminals through its HVAC contractor, despite the contractor’s limited access to Target’s IT infrastructure to begin with.
Target had paid settlements that cost hundreds of millions, but damages were more than that. A study by YouGov, which measures brand perception, showed that customer perception of Target sank below its competitors like Walmart and Kmart during the holiday shopping season. The Wall Street Journal also reported Target’s shopper traffic dropped during that period while its competitors still had a healthy level of business.
Security of data handled by third parties
When it comes to ensuring shared data security with third party vendors, it pays to be always cautious. Businesses should constantly monitor and evaluate vendors that are onboard and that are onboarding.
Dealing with sensitive customer data requires a whole new level of service quality by third parties. Measuring criteria for a good third party vendor dealing with customer data would include, for instance, robust security controls and proactive approaches to dealing with outdated endpoints on their networks. Their systems, including web browsers and operating systems, should always be up-to-date.
Bitsight found, through a study of 35,000 companies from over 20 industries across the world, that thousands of companies are running outdated systems which increases their likelihood of experiencing a data breach up to 3 times.
In 2017, the WannaCry ransomware infected thousands of computers across the globe and took data hostage. If companies had installed a critical update by Microsoft months before the attack, one of the vulnerabilities believed to exploited by hackers of WannaCry could have been avoided.
Auditing and governance
While European countries affected by GDPR is leading the world’s adoption of strict data protection laws and regulations, other countries are following suit. Protecting personal data collected from customers is important even when organisations outsource their work to vendors. Companies must be accountable for their customers’ personal data and ensure cybersecurity governance of their third-party vendors. Otherwise, they risk potentially huge cost and reputational damages.
Closer to home, the SingHealth data breach in 2018 took on the mantle of being the nation’s worst data breach yet. 1.5 million patients’ non-medical personal data, including Prime Minister Lee Hsien Loong’s, were stolen in the data breach saga. The Personal Data Protection Commission (PDPC) had slapped the largest fine of $750,000 to SingHealth’s vendor, Integrated Health Information Systems (IHiS) for the lax in securing patient data.
If SingHealth has better cybersecurity governance over IHiS, this might not have happened. The huge fine is one thing, and while SingHealth may have avoided reputation damage arising from speculation by responding quickly to the media, Singapore’s reputation as a tech innovator received a dent.
For more content like this, follow us on web and our social channels.