Addressing Third-Party Security Vulnerabilities

Third-Party Security Vulnerabilities

Organizations and businesses often spend a lot of time worrying about internal security, both online and off. Infrastructure is often put in place with security front and center, as a means to mitigate potential risks and data breaches.

Unfortunately, it doesn’t matter how secure a network or infrastructure is, because there are still ways companies can be attacked.

Third-party products and services are integral to a lot of businesses and are included in a wide variety of processes.

Auditing, compliance monitoring, vendor and partner support, hardware and software monitoring, maintenance and troubleshooting — all these applications may require the use of third-party tools and services. Unfortunately, every single one of them is vulnerable to an outside attack, which means companies involved with them are, too. That also extends to customers and clients.

With each organization or service provider that is involved with business operations, the risks grow exponentially. In many cases, however, companies have to rely on a third party as there’s no other option. That’s where the idea of a third-party risk mitigation strategy or approach comes into play.

It’s necessary to identify, assess and mitigate certain risks associated with third-party dealings and services.

Why Do Third-Party Breaches Matter?

During April and May in 2018, it was revealed that a small group of retailers was compromised by a massive breach, including Best Buy, Sears, Kmart and Delta Airlines. In terms of goods and services, these companies are hardly related. However, they all relied on a third-party brand called [24]7.ai, which offers chat and customer service tools.

It turned out that [24]7.ai had been compromised via a particularly nasty strand of malware resulting in the breach of incredibly sensitive customer information. Some of the stolen data included credit card numbers, expiration dates, CVV info, customer addresses, names and much more.

Thousands of customers from each of the different companies — and then some — were affected by the breach, which was essentially out of the hands of said retailers.

The company was a third-party vendor that all these retailers were doing business with, and yet the breach affected them as if their own systems or networks had been compromised. It shows that third-party breaches can be just as damaging for organizations as internal ones, if not worse.

The [24]7.ai breach wasn’t the only one that occurred last year, however. Additional high-profile attacks were carried out on brands like Saks Fifth Avenue, Lord & Taylor, MyFitnessPal, Universal Music Group, Applebee’s and many others.

Follow the Six-Step Plan

To mitigate the risks associated with third-party vendors and services, it’s always a good idea to follow a strict plan or strategy — ideally one that is set in place before striking up partnerships or signing contracts.

1) First, establish a vendor management or vetting program. Begin with an introductory assessment that reviews how secure a platform is and whether or not there has been a breach in the past. While looking at a new credit card processor, for example, it’s crucial to check if its systems were affected by a data breach before, and if it was, how things have been improved or updated since.

2) Rank all vendors and partners according to risk. Catalog them based not only on the risk they pose, but also the data they handle. If a vendor is riskier than the others on the list but does not deal in sensitive customer information, it may warrant ranking them higher. Furthermore, update this list regularly and often to ensure priorities remain in order.

3) When striking a new partnership or agreement, cover all the bases by ensuring the third party understands what security protocols should be followed, and what that means for general operations. Ultimately, a third party’s security solutions should be considered too, in order to get a grasp on how protected data will be after it’s exchanged.

4) Endpoint security is an absolute must when working with third parties. Ensure it’s been properly deployed and that core business systems are protected at all times.

5) Stay informed about industry events, especially third-party attacks and breaches. The National Vulnerability Database is an excellent resource for checking up on what’s happening.

6) Develop a plan for dealing with a potential breach or attack before something happens. Even if there are no sensitive details lost, it’s important to take proper action. Ensure that a network or access point is under control and no longer compromised. Secure existing data and any incoming information from further attacks. Lock down systems so any intruders who have yet to be identified cannot cause more damage. Watermark’s response to the infamous Spectre and Meltdown vulnerabilities has been exceptional and serves as an example of how to deal with third-party security vulnerabilities in the aftermath of discovery.

Organizations should always have a full understanding of the data available to them and within their reach. Where is it stored? Who has access to the systems and information? How is it protected, and are there ways around the security? How sensitive is the information and what kind of damage will occur if it’s stolen?

These are all critical components of understanding what, how and where certain data is being used, and how to better protect it.

By Kayla Matthews

Disaster Recovery Plan.png
Viral Infection Wearabletech
Data Bed.png
It’s Magic
Crozdesk Business Software
B2B SaaS Comparison Platforms B2B SaaS Comparison Platforms are designed for buyers looking for additional information on a particular vendor and service. These sites help ease the complexities for buyers by providing a detailed breakdown ...
Wealth Management Software Solutions - ServiceNow
Financial wealth management services (Updated: 06/29/2022) Many want to live in abundance, but very few people have what it takes to harness true wealth. True wealth is harnessed through the effective management of resources. Despite ...
David Dymko
Working with virtual machines and or Kubernetes A conversation with David Dymko, Director of Engineering for Cloud Native Development at Vultr.com If you work with virtual machines and or Kubernetes, and if you have some ...
Suraj Kumar Singh
Make Smarter Business Decisions Updated: 08,18,2022 Launching a new start-up? You’ll need to invest in costly software packages, in-house servers, off-site back-ups and more. Right? Wrong. Thanks to the cloud, entrepreneurs are spoiled for choice ...
Jen
VoIP and PBX Phone Systems The cloud is already providing businesses with such a range of advanced tools and services, optimizing communication across channels, improving global cooperation, and supporting collaboration between teammates and partners both ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.