Think about all of the sensitive information a company’s vendors have access to. Now imagine they have a security breach and all that information is at risk. When it comes to securing that information, too often companies do the minimum needed to pass an upcoming audit. It isn’t considered a critical security priority. And that can be a huge mistake.
There is enormous amount of trust given to these outside organizations, and yet, according to a Ponemon Institute study, more than one third of companies don’t believe vendors would tell them if they had a data breach. Yet, the Information Security team is often given marching orders to do whatever it takes to ensure the company meets audit and compliance guidelines so the company can focus on adding new customers faster.
If the company is one of the lucky few that hasn’t had a breach yet, the time may be close and a third party vendor may be the reason. In 2016, the number of data breaches increased 40%, with the average U.S. data breach costing $7.1 million. In addition, 63% of data breaches are linked to third parties in some way. So what is the risk? Why do companies need to think about third party vendor security as a critical issue?
The Rapid Adoption of SaaS
Where did all of this sudden concern around third party vendors come from? The answer is likely in the growth of the cloud and SaaS products. According to IDC, the Software as a Solution (SaaS) market is growing at 5X the rate of on-premise software adoption, which increases the risk of an incident everyday.
It seems new SaaS technology launches daily to help companies do more with less. Companies are continuing to work with an increasing number of vendors who gain more and more access to their company information, leaving security out of their hands.
While some employees believe they’re just working on another API or integration, it can actually be a huge security risk. With the level of interconnectedness in these systems, even one compromised integration can be disastrous.
Smarter Tools, Smarter Hackers
Cyber security attacks are on the rise. According to the Center for Internet Security, in 2015, there were 79,790 cyber security incidents, meaning any event that compromises the confidentiality, integrity or availability of an information asset, with 2,122 of these events confirming data loss. That can be the downfall for many small to midsize companies. Security Magazine reports that 60% of small to midsized companies that experience an attack end up going out of business within 6 months after a breach.
In these attacks, what information is targeted? PWC reports that, in the case of the hacking of a midsize company, 31% of the time, hackers compromise employee records, and 27% of the time, they compromise customer records. Less frequently, hackers steal intellectual property or compromise partner or customer information, which incurs financial loss or interrupts business processes.
While small companies often take the brunt, any company impacted by a security breach suffers loss of some sort from financial to time and even market perception.
Why the vulnerability with third party vendors?
Most companies — even third party vendors — have security measures in place. So where is the disconnect? Few organizations are aware of who their third party vendors are, what they are doing, and their level of security. In the aforementioned Ponemon Institute report, only 33% of companies have an inventory of their third party vendors and the data they have access to.
While, like many departments, Information Security teams have to be careful about where they put their resources, there are some simple things that companies can begin doing today to raise awareness internally and improve the security of its third-party relationships. This can result in potentially garnering more resources and additional attention to this increasingly important part of information security.
Interested in learning what your team can start doing today? Stay tuned for the next blog post covering getting leadership on board, and in the meantime, download our latest ebook, Why Third Party Security is Critically Important.
Located in the heart of the Silicon Slopes in Utah, Whistic is a leading third-party security assessment platform. Built for information security teams looking to improve the effectiveness, efficiency and scope of their third-party security assessment program, Whistic enhances productivity and unlocks insights traditionally trapped in static security questionnaires. Using the platform’s intelligent and automated recurring assessments, Whistic customers eliminate the administrative burdens of back-and-forth third-party requests and free up time to focus on security. The Whistic platform is designed for an intuitive and collaborative user experience and harnesses the wisdom of hundreds of security professionals to deliver risk insights through its proprietary CrowdConfidence scoring algorithm.