Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-third and two-thirds of all breaches have their nexus in third-party service providers. Given the decade-long outsourcing trend that is not showing any signs of slowing down, this means that your organization has a decent chance of experiencing one directly or through one of your third parties.

We have spoken at length in previous blog posts about proactive measures your organizations can take. Mainly, you can conduct risk assessments on your critical third parties to better understand which third parties might warrant extra attention in the form of improved security controls and other means. However, in this blog, I’m discussing some of the reasons why third-party breaches occur.

High Concentration of Information

The infamous bank robber Willie Sutton was once asked why he robbed banks. “Because that’s where the money is,” was his reply. When any criminal is developing a plan to steal wealth, it makes sense to target locations where high concentrations of wealth reside. In many cases, that means third-party service providers, particularly those that store data of value.

Data Segregation Problems

Most software-as-a-service (SaaS) providers’ applications are multi-tenant. This means that data for many (and often, all) customers resides in a single database. SaaS providers implement a number of logical controls to ensure that data from one customer is not accessible to any other customer. Building these logical data segregation controls is not easy. These controls can be rather complex, and many security professionals understand the phrase, “complexity is the enemy of security,” meaning that a complex system can be difficult to secure, and it can be difficult to maintain that security over time.

Mission and Loyalty Conflict

Third-party service providers are organizations separate from your own. They have their own mission, culture and values. Their loyalty is different too. As much as they will say that they are client-focused, customer-focused or that customers come first, we all know that the implicit mission of any organization is its survival and growth. This means that the organizations that store your sensitive and critical information are first loyal to their own organizations. Any residual loyalty will be towards their customers.

Measuring trustworthiness is subjective and not straightforward. The best that one can do is obtain some customer references to see how well they execute on their customer loyalty and service, then monitor the relationship for changes.

Younger and Smaller Companies with Immature Programs and Controls

Some of the SaaS applications used today are developed and operated by relatively small and young organizations. Others are part of a trusted major firm’s portfolio, but came to being as acquisitions of smaller organizations. Key stakeholders in any organization’s third-party risk program need to be familiar with their third-party vendor portfolio, including knowledge of each vendor’s financial health and origins, as well as the effectiveness of their controls.

As many security professionals can attest, younger and smaller organizations tend to have immature security programs with very limited capabilities. Cyber criminals know this as well, and exploit weaknesses in smaller service providers’ weaker defenses.

Many of these smaller service providers also have limited means for knowing when a breach has occurred, as well as limited incident response capabilities. Many lack central logging and 24/7 monitoring, and their staff may have limited experience with security incident response.

These factors make it especially important for security managers to conduct detailed due diligence on their SaaS providers, including detailed questionnaires on their IT controls, as well as validation of the most important controls. The steps to an effective third-party management program are:

1. Identify all of your third parties
2. Establish risk ranking criteria
3. Risk rank your third parties according to that criteria
4. Develop due diligence procedures for third parties at each level of risk (for instance, highest risk third parties might receive lengthy questionnaires annually, medium risk third parties would be issued shorter questionnaires every year or two, and lowest risk third parties might be vetted up front with a short questionnaire)

These are just the first steps, and there’s a lot more detail involved in building out a comprehensive third-party risk management program. 

(Related note: With IoT devices, a vendor should be committed to baking-in security, and maintaining a product after release. It should be a concern if a vendor tends to never patch or update their legacy portfolio. Security is essential in each vendor’s software development life cycle (SDLC).)