What do the exposure of 106 million records from Capital One, 11.9 million records from Quest Diagnostics, and 7.7 million records from LabCorp have in common apart from the fact they all happened this year? In each case the breach was caused by a third party. With the Capital One breach a hacker was able to exploit a configuration vulnerability in the servers of one of its cloud partners. The other two breaches were traced to the same third party – the American Medical Collection Agency’s (AMCA) system.
Data breaches are nothing new. More than 5 billion records were exposed in 2018 alone and third parties were often found to be at fault. The potential cost of a data breach is enormous; even after the breach is cleaned up and the vulnerability shut down, there’s the risk of fines, penalties and settlements which can amount to millions. The reputational damage can linger for years.
With a proper third-party risk management strategy in place you can drastically reduce the chance of a breach happening in the first place and limit the impact on your business if it does.
It’s an expectation not an option
Ignorance is no defense in the event of a data breach. It doesn’t matter if a third party is to blame – if your company is responsible for the data, then you will be held accountable. Regulators in the U.S. and Europe have made it crystal clear that companies are liable for the data they collect and hold, regardless of the network of third parties involved.
Complying with global regulatory requirements is a constantly evolving challenge. It’s important to operationalize data management and security. Start to think of compliance as a journey rather than a destination.
While third-party risk management is especially important in healthcare and finance, where sensitive data and multiple partners are par for the course, this advice also applies to industries from manufacturing to retail to entertainment and beyond. Outsourcing expands your potential attack surface and heightens your exposure to risk and so it must be scrutinized from the start.
Asking the right questions
While you can dig into technical guides like NIST’s CSF and ISO 27001 to help you build solid information security strategies and policies, the best and most obvious way to reduce third-party risk is to limit what you share in the first place. Start with these questions: