Updated on July 31, 2024
2023 saw some huge data breaches, the biggest of which hit third-party file transfer provider MOVEIT. Around 1841 organizations disclosed that they had been affected by the incident which started when the Clop cyber extortion gang exploited a critical vulnerability in MOVEIT’s systems. Victims included The United States Department of Energy, British Airways, Ontario’s government birth registry, and Shell. Only 189 of those companies reported how many people had their sensitive information stolen, so the count of 62 million victims could be 10 times higher.
This attack may have prompted you to tighten your cybersecurity, but despite putting systems in place to keep your customers’ data safe, your business can still run into trouble because of ‘leaky’ third-party software like MOVEIT. Even though your company has robust data security policies and takes the utmost care to keep your users’ personal or sensitive data safe, you can’t always say the same for the third-party software vendors that your business relies on. Some of your trusted partners could be allowing unauthorized end-user data harvesting without your knowledge.
Recent research by SecurityScorecard found that 98% of organizations have links with a third-party software provider that has experienced a breach at some point. Overall, third-party breaches were behind 29% of all breaches, with healthcare and finance providers experiencing the highest numbers.
Healthcare is thought to suffer the most because it has the most third-party connections and because it’s such a lucrative target. The bottom line is that the more third parties an organization has connections with, the more likely it is to suffer a third-party attack.
The Ever-Growing Attack Surface
These days, most organizations with an online presence are at risk of data harvesting, and this risk escalates when so many of them rely on third-party application vendors to supply and maintain the tools they need to function. It may be dangerous to trust sensitive data to external software, but it’s also essential because very few businesses have the resources and expertise to do everything themselves.
It makes sense for them to outsource sales, cloud storage, communications, customer relationship management, password management, advertising, and many more essential tasks to external providers because it’s the most cost-effective way to get the best tools. Third-party vendors are specialists in their respective areas, whether that’s website development, search engine optimization, or payment processing. They can provide scalable solutions, which can grow at the same pace as your business website, and they often provide customer support and maintenance services too.
So, the upside is clear, but with every new third-party software product that a company uses, the attack surface expands, and because each of them may have privileged access to some of your customers’ sensitive data, the potential for a data breach increases. If your business uses dozens of such providers, then the scope for attack becomes enormous and the job of defending it becomes vastly more difficult.
The Cost of Third-Party Data Harvesting
Data harvesting can have severe consequences for a company, both financially and in terms of its reputation. Some of the fallout from a data breach may include:
Financial loss: A breach caused by data harvesting can lead to significant financial losses for a company, including costs associated with investigating and resolving it, contesting lawsuits, and compensating those affected. In addition, a data breach can also harm both your revenues and your customers’ confidence, because of the next point…
Damage to reputation: Bad news travels fast, and businesses that have suffered from a cyberattack or data breach often struggle to attract customers or clients. Incidents like these can cause long-lasting reputation damage for companies because information on the internet can linger almost indefinitely. Just one breach can leave a company permanently tarnished.
Legal liability: In contrast with many other countries, the United States does not have a single comprehensive data protection law that governs the protection of personal data. However, it has enacted hundreds of federal and state laws, creating a complex web of regulations that aim to safeguard the personal information of American citizens. So, depending on its circumstances, a company may face prosecution over a data breach, which can lead to fines, lawsuits, and other legal penalties.
Operational disruption: A data breach can cause significant operational disruption for a company, including system downtime, security upgrades, and increased demands on IT resources.
Regulatory compliance issues: A data breach can lead to noncompliance with regulations, which can be incredibly costly. For instance, between May 2018 and January 2020, GDPR fines totaled $139 million. But in the following year to January 2021 reported fines more than doubled to $332 million.
The 2024 edition of DLA Piper’s GDPR and Data Breach Survey found that European supervisory authorities issued a total $1.94 billion in fines since 28 January 2023, a 14% increase over the previous year. The bulk of those fines was born by Facebook parent Meta when Ireland’s Data Protection Commission slapped it with a $1.3 billion fine for transferring EU residents’ data to the US without authorization. This steady rise in GDPR fines shows that regulators are growing more punitive every year.
For an individual company caught committing a serious data breach, the fines can be as high as 4% of its global revenue or €20 million ($21.67 million), whichever is higher, and unfortunately, you can’t just blame the third-party vendor for compromising your customers’ data. The responsibility lies with you, and remember that if you also process customer credit card data, you could be in breach of PCI-DSS regulations too, which might attract additional vines ranging from $5,000 to $100,000 for each month of non-compliance.
But what does a typical breach cost the average business? Well, every year, IBM Security reports on the worldwide average cost of a data breach, and for 2023 it recorded its highest-ever figure, $4.45 million, up 2.3% from 2022. As bad as that looks, in the US, the average is $9.48 million, and in the US healthcare industry, it’s $10.93 million. This is the 13th consecutive year that healthcare has outstripped other industries in terms of the cost of a breach.
Steps to Preventing Third-Party Data Harvesting
1. Conduct Third-Party Vendor Audits
Since prevention is better than cure, assessing the cybersecurity risk of taking on any third-party vendor should begin before you give them access to your network and sensitive client data. You can weed out problematic vendors by making your audit requirements clear before you on-board them. Think of it as a vetting process. If they’re resistant to audits at this stage, then they are unlikely to be more forthcoming with the reassurances you need later on. You need to make sure that any third-party vendor commits to ongoing assessments of their data protection measures to keep both of you compliant with cybersecurity standards.
Your audits should seek evidence that a third-party vendor has a comprehensive information security program, but this is only the beginning. To truly safeguard your data, a vendor must be able to demonstrate their commitment to risk management through a robust vulnerability management program. They should be able to provide recent results from internal risk assessments, penetration testing, and compliance frameworks.
A critical aspect of risk management is having a solid supply chain risk mitigation strategy and plans for how to remediate any potential data breach. Ongoing third-party risk monitoring is crucial for gaining continuous insights into the vendor’s cybersecurity program. Conduct regular quarterly reviews to evaluate the vendor’s performance metrics and security posture.
Your organization’s reputation and customers’ trust depend on your ability to safeguard sensitive information. Therefore, it’s crucial to partner with third-party vendors that take risk management seriously and invest the resources needed to shut down potential threats. By prioritizing risk management and implementing regular third-party risk monitoring, you can help ensure that all the data under your control remains secure.
2. Adopt a Principle of Least Privilege (POLP) Model for Data Access
This is another element of prevention that also includes damage limitation if a breach occurs. The POLP approach means sharing information on a need-to-know basis. Just as you would only give your employees access to the minimum amount of information and system resources that they need to do their job (role-based access control), so you should also apply this principle to vendors to reduce the risk of third-party data harvesting. Even if a breach occurs, this approach limits the amount of sensitive data that would have been compromised if you had given a vendor access to everything.
3. Adopt the Zero-Trust Model
Zero-trust means that your systems will consider everyone using your network to be untrustworthy, so your systems will use ongoing authentication and authorization to ensure they maintain their access to applications and data. This approach uses techniques such as multi-factor authentication to prevent unauthorized access and ensures that if cyber criminals gain entry to one part of your system, they won’t be able to move laterally to compromise others.
4. Keep an Inventory of Your Vendors
Before you can adequately determine the risk level that your third-party vendors will introduce, you need to understand who they are and how much is being shared with each of them. If you don’t have an inventory of the third parties you are involved with, you won’t be able to assess the level of risk that they introduce.
Of those organizations that keep an inventory, some could improve their approach. Keeping different lists in different departments can be confusing, so set up a single central inventory and assign roles, conventions, and procedures for its maintenance. And once you have it, use it! Despite the dangers, less than half of organizations risk assess their vendors.
5. Continuously Monitor Your Third-Party Apps
Reflectiz continuous monitoring gives you an ongoing oversight of your online environment. It’s an entirely remote solution that requires no installation. It keeps track of all of your third-party applications (as well as open-source tools, iFrames, and external servers) and gathers information on them to create an online inventory that’s accessible via your dashboard in just minutes. It can spot all third- and fourth-party vulnerabilities, and flag up outdated software versions, and any compliance issues before they get costly. For instance, it detected problems with a client’s TikTok tracking pixel and saved them from the nightmare scenario of unauthorized data harvesting. Reflectiz security alerted the client right away and gave them steps to remediate the problem, which is quite something when you realize that in 2023, the discovery of a data breach took an average of 204 days.
With clear oversight of each application, you can quickly respond to any suspicious behaviors they might perform, and it’s a solution that doesn’t require you to write any code.
6. Include Cyber Risk in Your Vendor Contracts
It’s crucial to incorporate cyber risk into your vendor contracts to protect your company from potential third-party data breaches. By doing so, you can ensure that your vendors are accountable for any security breaches and take steps to maintain their security posture.
To better manage cybersecurity risks and hold your vendors accountable, you can also incorporate Service Level Agreements (SLAs) into your contracts. These agreements can help guide the cybersecurity behavior of your vendors and mitigate your company’s cybersecurity risk. You could require vendors to report and fix security issues within so many hours, depending on the severity of the problem.
Finally, to identify any potential security issues that external security scanning has missed, it’s recommended to include the right to request a completed security questionnaire from your vendors once per quarter. By following these best practices, you can ensure that your company is better protected.
7. Assess Fourth-Party Risks
Even your vendors often need to rely on other vendors, which means they could be sharing your clients’ data with them. Since you need to know about every such connection, make it a requirement in your contracts with them to divulge the fourth-party vendors they use, so you get a full overview of your attack surface. Reflectiz allows you to monitor fourth-party applications just as easily as third-party ones. It can alert you about changes to your website as soon as they occur and give you end-to-end tracking of your data, so you can avoid data harvesting before it happens.
Reflectiz Protects
Combining the seven suggestions we’ve listed will considerably improve your security posture, and with the Reflectiz platform, you can manage all your third-party software via one centralized dashboard. Contextualized reports enable you to learn about the behavior of all the external applications you use, including client interactions, data collection, and suspicious activities. Book a demo today to see how you can keep using the third-party apps your online business needs without compromising your website security.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!