Like any relationship, contracting with a third party has its risks. No one knows that better than the organizations whose vendors were hit by major breaches in the first half of this year.
Take the Healthcare sector, for instance. The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool reports:
- 360+ notable breaches already in 2022, with hacking/IT incidents making up the vast majority.
- 1/3rd of these breaches involved vendors handling Protected Health Information (PHI).
- 10M users have been affected by these vendor-related breaches.
- 4 of 10 of the largest HIPAA breaches this year involved vendors.
With a whopping 82% of today’s companies providing high-privilege data access to partners, let’s learn what makes vendors such big targets and what can be done to rein in risk across your partnerships.
Attracting The Wrong Types
Vendors don’t need any help looking good to hackers. As we shared in our recent article, Validating Vendors: Are They Secure, Forrester experts say 60% of all data breaches will occur due to third-party issues.
Why are vendors at such high risk?
According to security veterans, third parties often have lackluster IT security practices compared to the clients they serve. Yet without a risk assessment that specifically examines vendors, clients may have no idea their partners aren’t upholding their security standards.
Vendors are also cybercriminals’ springboard for lower profile deeds. For example, while hacks that disrupt medical care facilities can garner unwanted attention for cybercriminals, going after third parties to steal healthcare records is initially less conspicuous—and extremely lucrative. Patient data can be used to commit a number of identity crimes, making it popular trading fodder on the dark web.
Curbing Vendor Vulnerability
Hackers know the worth of the data they’re targeting. That’s why ransomware attacks continue to dominate, especially against vendors who process coveted data, such as PHI.
HHS’s investigations into the breaches have noted several possible points of prevention. These steps can become part of your vendor management routine. Among the simplest is multi-factor authentication. Stronger passwords can make a big difference in the long run, but requiring users to verify their identity just twice can pose a major obstacle to hackers. In fact, multi-factor authentication is now required of government agencies.
Get serious about cyber defense.
Another major opportunity to tighten boundaries is around phishing campaigns. Resourceful cybercriminals may get their in by forging communications—not just from a colleague or boss, but from a vendor, followed by manipulating the employee into giving up their credentials.
We’ve shared a number of helpful phishing defense tips for organizations training their employees not to take the bait. As a rule, suspicious correspondence should always be reported to your IT security team. It’s also wise to verify unsolicited communications with the person who sent them. Irregularities in spelling, grammar, or an apparent typo in an email address can all be clues to an impostor behind the keyboard. And if someone has any legitimate reason to ask you for money, they should be asking you to your face.
HHS also observes that many breached entities suffer from lackluster security analysis—a process that can vary wildly by organization and which assets they prioritize. For vendors, whose highest-risk assets are generally customer data, a robust security assessment, can illuminate potential points of entry for hackers.
From there, vendors and clients alike can design security protocols to defend against the biggest vulnerabilities first. Time and allocation of resources can make IT security strategies a daunting endeavor, but a comprehensive risk analysis will help make the process more efficient and proactive.
Heading Off Impact
Don’t wait for a vendor to inform you of a breach that has put your organization’s data, operations, and reputation at risk. If Technology Service Providers are essential to your day-to-day business, consider BAI’s Vendor Management Risk Assessment as part of your vendor management approach.
This risk assessment helps to ensure your TSPs are adhering to the same risk management, security, privacy, and other policies that would be expected if your own organization were conducting the activities in-house. Our experts use a methodology based on NIST’s supply chain risk management practices to examine:
- Management Responsibilities
- Risk Management
- Contract Issues
- Ongoing Monitoring
- SOC Report Evaluations And Gap Assessment
We then provide actionable insights into your potential problem areas and specific suggestions for remediation.
Validate your partners’ security by contacting us today.