Kayla Matthews
Kayla Matthews

Addressing Third-Party Security Vulnerabilities in 2019

Third-Party Security Vulnerabilities

Organizations and businesses often spend a lot of time worrying about internal security, both online and off. Infrastructure is often put in place with security front and center, as a means to mitigate potential risks and data breaches.

Unfortunately, it doesn’t matter how secure a network or infrastructure is, because there are still ways companies can be attacked.

Third-Party Security Vulnerabilities

 

Third-party products and services are integral to a lot of businesses and are included in a wide variety of processes.

Auditing, compliance monitoring, vendor and partner support, hardware and software monitoring, maintenance and troubleshooting — all these applications may require the use of third-party tools and services. Unfortunately, every single one of them is vulnerable to an outside attack, which means companies involved with them are, too. That also extends to customers and clients.

With each organization or service provider that is involved with business operations, the risks grow exponentially. In many cases, however, companies have to rely on a third party as there’s no other option. That’s where the idea of a third-party risk mitigation strategy or approach comes into play.

It’s necessary to identify, assess and mitigate certain risks associated with third-party dealings and services.

Why Do Third-Party Breaches Matter?

During April and May in 2018, it was revealed that a small group of retailers was compromised by a massive breach, including Best Buy, Sears, Kmart and Delta Airlines. In terms of goods and services, these companies are hardly related. However, they all relied on a third-party brand called [24]7.ai, which offers chat and customer service tools.

It turned out that [24]7.ai had been compromised via a particularly nasty strand of malware resulting in the breach of incredibly sensitive customer information. Some of the stolen data included credit card numbers, expiration dates, CVV info, customer addresses, names and much more.

Thousands of customers from each of the different companies — and then some — were affected by the breach, which was essentially out of the hands of said retailers.

The company was a third-party vendor that all these retailers were doing business with, and yet the breach affected them as if their own systems or networks had been compromised. It shows that third-party breaches can be just as damaging for organizations as internal ones, if not worse.

The [24]7.ai breach wasn’t the only one that occurred last year, however. Additional high-profile attacks were carried out on brands like Saks Fifth Avenue, Lord & Taylor, MyFitnessPal, Universal Music Group, Applebee’s and many others.

Follow the Six-Step Plan

To mitigate the risks associated with third-party vendors and services, it’s always a good idea to follow a strict plan or strategy — ideally one that is set in place before striking up partnerships or signing contracts.

1) First, establish a vendor management or vetting program. Begin with an introductory assessment that reviews how secure a platform is and whether or not there has been a breach in the past. While looking at a new credit card processor, for example, it’s crucial to check if its systems were affected by a data breach before, and if it was, how things have been improved or updated since.

2) Rank all vendors and partners according to risk. Catalog them based not only on the risk they pose, but also the data they handle. If a vendor is riskier than the others on the list but does not deal in sensitive customer information, it may warrant ranking them higher. Furthermore, update this list regularly and often to ensure priorities remain in order.

3) When striking a new partnership or agreement, cover all the bases by ensuring the third party understands what security protocols should be followed, and what that means for general operations. Ultimately, a third party’s security solutions should be considered too, in order to get a grasp on how protected data will be after it’s exchanged.

4) Endpoint security is an absolute must when working with third parties. Ensure it’s been properly deployed and that core business systems are protected at all times.

5) Stay informed about industry events, especially third-party attacks and breaches. The National Vulnerability Database is an excellent resource for checking up on what’s happening.

6) Develop a plan for dealing with a potential breach or attack before something happens. Even if there are no sensitive details lost, it’s important to take proper action. Ensure that a network or access point is under control and no longer compromised. Secure existing data and any incoming information from further attacks. Lock down systems so any intruders who have yet to be identified cannot cause more damage. Watermark’s response to the infamous Spectre and Meltdown vulnerabilities has been exceptional and serves as an example of how to deal with third-party security vulnerabilities in the aftermath of discovery.

Organizations should always have a full understanding of the data available to them and within their reach. Where is it stored? Who has access to the systems and information? How is it protected, and are there ways around the security? How sensitive is the information and what kind of damage will occur if it’s stolen?

These are all critical components of understanding what, how and where certain data is being used, and how to better protect it.

By Kayla Matthews

Kayla Matthews Contributor
Technology Writer

Kayla Matthews is a technology writer dedicated to exploring issues related to the Cloud, Cybersecurity, IoT and the use of tech in daily life.

Her work can be seen on such sites as The Huffington Post, MakeUseOf, and VMBlog. You can read more from Kayla on her personal website, Productivity Bytes.

follow me
The Cloudification of Healthcare: Benefits and Risks

The Cloudification of Healthcare: Benefits and Risks

Cloud Healthcare: Benefits and Risks Many organizations are moving most of their business-critical applications and workloads to the cloud. The healthcare industry is no exception ...
BI Data

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole ...
Daren Glenister

What’s Next In Cloud And Data Security?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had a huge increase in data ...
The Massive Growth of the IoT Services Market

The Massive Growth of the IoT Services Market

Growth of the IoT Services While the Internet of Things has become a popular concept among tech crowds, the consumer IoT remains fragmented. Top companies ...
Allan Leinwand

Two 2017 Trends From A Galaxy Far, Far Away

Reaching For The Stars People who know me know that I’m a huge Star Wars fan. I recently had the opportunity to see Rogue One: ...
BBC Tech

Slow websites to be labelled by Chrome browser

Websites that load slowly because they are poorly coded could soon be flagged by Google's Chrome browser. Google said it was working on several "speed badging" systems that let visitors know ...
Reuters news

Situation critical: Vodafone’s future in India in doubt after court ruling

LONDON (Reuters) - Vodafone said its future in India could be in doubt unless the government stopped hitting operators with higher taxes and charges, after a court judgment over license ...
Samsung

Experts Discuss Taking AI to the Next Level at Samsung AI Forum 2019

Samsung AI Forum 2019 Samsung Electronics is committed to leading advancements in the field of artificial intelligence (AI), with the hopes of ushering in a brighter future. To discuss what the ...