Their Cybersecurity Weakness is Your Data Breach Risk

According to the Ponemon Institute, about 61 percent of U.S. companies had experienced a data breach caused by a third party in 2018. 

Think of your top two competitors for a moment. The odds are that two out of the three of you will suffer a security breach as a result of the cybersecurity weaknesses of the vendors and customers with whom you share data, API connections, or other instances of technology interoperability. 

How many third parties — vendors, suppliers, customers — do you have? That’s how many outside connections that exponentially increase your cybersecurity risk via third-party risk. 

Now is the time to create more rigorous governance to ensure that their cybersecurity weaknesses don’t become your data breach. 

Data Transfermision and exchange of data between computers.

Cyber Attackers are Broadening their Targets

Cyber attackers have broadened their targets, attacking companies of all sizes in industries such as healthcare, retail, media, energy, manufacturing, education, and I.T. services, among others. The risk to small and medium-sized (SMB) enterprises is rising. Ponemon’s 2018 State of Cybersecurity report shared that nearly 70 percent of SMBs had experienced at least one attack in the previous year.  

SMBs are no longer “low profile” targets, which impacts every vendor or customer you’re integrating or sharing data with, not just the big corporations. Hackers are increasingly focused on smaller organizations because they view them as soft targets with fewer resources and protections.  

Reliance on Third-Party Vendors is Increasing

Relying on third parties has become mission-critical for many organizations. They fill the gaps in services and functionality that an organization doesn’t want to hire or have in-house. Hiring third-party vendors can complement expertise and technologies, as well as enable cost savings and increased efficiency. 

Whereas outsourcing processes and services can be extremely beneficial and give an organization the ability to be nimbler to market opportunities, there is a downside. Essentially, you are trusting external firms with access to crucial parts of your business. 

It goes further when you consider your vendors’ vendors. Seventy percent of organizations have a moderate-to-high level of dependency on external entities. These include third, fourth, and fifth parties, meaning that the vendors of your vendors can also pose a risk to your organization. Recent breaches, like those at Target and Marriott, strike home the untoward effect of poor third-party risk management. 

How many outside organizations have access to your systems? Who are the organizations who have privileged access to your systems and data? Do you have a list of those organizations that have access? 

Ramping Up Third-Party Risk Management and Cybersecurity

Regulatory compliance has helped some organizations and industries, like financial services, create more vigorous third-party management practices and policiesHowever, most SMBs are still in the very early stages of establishing a risk management program, let alone governing their vendors’ access. 

It would make sense that smaller organizations would have less protection, but the risk and potential cost can shut a company down. A 2019 study revealed that 10 percent of those companies breached in 2019 closed. “Following a breach, 69 percent of these respondents were knocked offline for a limited time, 37 percent experienced financial loss, 25 percent filed for bankruptcy, and 10 percent went out of business, researchers report. 

What would happen if 10 percent of your vendors shut down due to a single breach? 

While most small businesses and few mid-sized companies have any or adequate internal I.T. cybersecurity staff to implement and manage a comprehensive program, the need still exists.  And, according to CIO Magazine, 40 percent of CIOs they surveyed expected to have difficulty filling their open security jobs. 

Outsourcing third-party risk management is one way to stay neutral and put the onus on a cybersecurity consulting firm to provide the due diligence and oversight to your outside vendors.  

How Can CyLumena Strengthen Your Third-Party Connections and Minimize Risk?  

Want to learn more about third-party risk management, let us know you’d like to receive our upcoming white paper and we’ll be sure to send it to you once published. Request white paper. Please add the subject: Send me TPRM white paper when published. Then, let’s discuss your third-party profile and management needs.
Contact Us

Luke Wawrzeniak

Insight Contributor:

Luke Wawrzeniak, Manager

Luke is a cybersecurity consulting professional with extensive experience developing and implementing Governance, Risk, and Compliance Management strategies and project execution.

He has helped clients mitigate regulatory and audit findings by achieving compliance with the following frameworks: NIST, ISO 27001, HIPAA, PCI, SOC2, and HITRUST.