Why Data Breaches Start with Poor Third-Party Vendor Management, and What You Can Do About It

by

September 9, 2021

Vendors can be a godsend for a small or medium-sized business, providing services like logistics, accounting or payment systems at scale. But if your company uses vendors, have you considered what will happen during a vendor cyberattack? Too often, vendor attacks mean your data gets breached. Consider these latest headlines.

  • The Solar Winds attack of 2020 took down hundreds of federal agencies by attacking the monitoring services they used for network security.
  • A 2021 data breach cost the Pennsylvania Department of Health 72,000 patient records. How did it happen? Their contact-tracing vendor used an unapproved collaboration platform. Now, they’re being sued.
  • Records for 20 million customers of the popular parking payment app ParkMobile were breached in 2021, including account information and user license plates. The source? Third-party software.

Third-party breaches, in fact, are involved in more than half the breaches in the US, according to the latest research from Ponemon Institute. They are twice as costly as other kinds of cyber attacks, too. Why? Because third parties are given privileged access to your information. A successful cyber attack on them means a VIP pass to your network.

Clearly, outside vendors can create serious cybersecurity risks. Yet, you can fix this problem with the right third-party vendor management. Let’s talk about how.

 

What is Third-Party Vendor Management?

Third-party vendor management is the process of vetting the companies you use for your supplies and services. This process includes understanding who your vendors are, and how secure the vendor is. To achieve this, you need thorough vendor vetting and continuous monitoring. We recommend these key steps to achieve better third-party vendor management.

 

Steps to Cyber Secure Third Party Vendor Management

 

Audit All Third-Party Vendors Associated with Your Business

To begin, list all third-party vendors and the services or products they provide for your business. Only 34% of businesses know all of their third-party vendors. Chances are, your list will be long. You’d be surprised at how many vendors you interact with on a daily basis.

 

Assess Third-Party Risks

Do your research on all third-party vendors, especially those who will have access to your sensitive data, files, or financial information. Has this vendor been breached before? Are there negative reviews online for this vendor? How responsive is this vendor to cyber threats? Let this be your guide. If you don’t like what you see, it’s time to start looking for alternatives.

 

Vet Your Vendor’s Vendors

Ask your vendor about the third-party vendors they use. This may seem intrusive. But it’s like the adage: who delivers the mailman’s mail? Any vendor you choose should be able to provide you with a list of who they’re working with and what third-party software is used in their daily operations.

 

Check Compliance with Industry Regulations

Is your third-party vendor compliant with the rules and regulations governing your industry? HIPAA, for instance, is very strict about its privacy laws. If your third-party vendors do not meet their standards, you can find yourself in a costly violation nightmare. Ask them for documentation on this point.

 

Create Tiers for Security Permissions

Not all third-party vendors need access to your sensitive data. Your landscaper, for instance, doesn’t need to access your financial data. In fact, some vendors don’t need any network access at all.

 

Review Your Service Level Agreements

Third-party vendor management will include looking over your service agreements. On a basic level, you need to be sure you are getting all your contracted services and products.

 

 

Set up a Monitoring Plan

Once the initial vetting is complete, you need to create a comprehensive third-party management plan. Make sure this includes ongoing monitoring of your vendors to make sure they remain secure and compliant.

 

Five Ways an Integris Third-Party Vendor Management Plan Can Save You Time and Money

No matter how long you’ve worked with your third-party vendor, they should be properly vetted. If a breach occurs, you will be held partially responsible, regardless of a breach source.

If you have the resources and time, you can perform your own third-party management strategy. You can save yourself a lot of headaches, however, if you hire a managed services provider (MSP) to help. MSPs like Integris are uniquely qualified to vet your vendors. Here are a few reasons to let Integris handle your third-party management strategies.

 

#1—Third-Party Management Strategies Take Time and Resources

On average, companies interact with over 180 vendors per week. This is far too many for businesses to manage alone. Your IT department can handle some of the burdens, but they are already busy dealing with your business’ daily IT needs. You need a partner who can help you manage the details of your third-party vendor management plan.

Integris provides your small to medium-sized business with affordable, scalable third-party management solutions.

 

#2—Iconic Can Provide Immediate Remediation

Integris can react to security threats in ways that you can’t. Our 24/7 security monitoring can catch problems before they spread. And we can isolate those threats, so they don’t affect your network.

Integris can detect risky third-party practices and start mitigating the threats immediately.

 

#3—Integris Follows Up with Third-Party Monitoring

After the third-party risk assessment has been completed, we follow up with the vendors periodically to ensure their compliance.

Integris monitoring service ensures your vendors meet industry compliance and security standards.

 

#4—Regulatory Compliance

Industries like healthcare or banking require a thorough third-party management plan. Integris understands the regulatory mandates you may be facing, and can develop a plan to address them.

Integris can help your company ensure that all vendors are compliant with regulatory requirements.

 

Turn to the Pros for Third-Party Management Solutions

Integris is uniquely qualified to provide your smaller business with the comprehensive cybersecurity plan you need. Contact us today for a risk-free, no-obligation IT audit and see how our third-party management strategies can help your business stay safe and compliant.

We're Integris. We're always working to empower people through technology.

Keep reading

Your IT Battle Card for the New FTC Safeguards Rule

Your IT Battle Card for the New FTC Safeguards Rule

The new FTC Safeguards Rule includes updated definitions of "financial institution" that go into effect on 12/9/22. Is your business considered a financial institution? This inquiry may sound like a silly question, but the definitions are changing. And so are the...

Put Your Cybersecurity Policies to Work for You

Put Your Cybersecurity Policies to Work for You

It’s one of those truisms of life: if you get all your chores done, you get to go out and play. Cybersecurity policies are a lot like that. They are the structures you must have before your systems can run as they should. Look, I get it. Considering that most...