Security software maker Kaspersky Lab has warned that security breaches suffered by third party vendors have cost businesses over £1.2 million.
Third party vendors often do not encrypt data belonging to their clients and are thus highly vulnerable to cyber attacks and data breaches.
Back in September, TigerSwan, a private security agency in the U.S., suffered a major data breach incident after a third party vendor hired by the firm uploaded sensitive details belonging to thousands of security officials to an unsecured Amazon S3 cloud server.
Similarly, hundreds of enterprises of all sizes have suffered breaches or have lost customer data due to inappropriate handling of sensitive data by their third party vendors. According to Kaspersky Lab, security breaches suffered by third party vendors have cost businesses over £1.2 million.
‘Raising IT security budgets is only part of the solution, as the most staggering losses stem from the incidents involving third parties and their cyber-failures. While cyber security incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage,” said Alessio Aceti, head of the enterprise business division at Kaspersky Lab.
‘This is because of a wider global challenge – with threats moving fast, but businesses and legislation changing slowly. When regulations like GDPR become enforceable and catch up with businesses before they manage to update their policies, the fines for non-compliance will further add to the bill,’ he warned.
According to security firm UpGuard, if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to a third-party vendor lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
The firm has also said that enterprises and their vendors must share equal responsibility to ensure the security of sensitive data against exposure to the wider internet. Such responsibility will ensure that third party vendors will no longer be the weakest point in an organisation’s cyber defence system.
Writing for TurboFuture, Virginia Matteo says that while choosing a third party vendor, an enterprise must consider the agency’s experience and ability to secure data, existence of any complaints or litigations against the agency, its systems and data security plans, insurance coverage, security of its websites, scope of internal control and its knowledge of consumer protection and civil rights laws.
Even though background checks of third party vendors are time-consuming and expensive, there’s also the risk of them leaving if they are scrutinised too much. However, it is important for an enterprise to properly vet vendors depending on what kind of information they’ll have access to.
‘Despite the inconveniences of proper vetting, it is crucial for your company’s security; you don’t want to end up contracting fraudulent or even non-existent third parties. Aim to balance out the costs and security considerations,’ she adds.