When it comes to keeping data secure, not even the world’s leading cybersecurity companies are invulnerable. A new report by global application security company ImmuniWeb said it found that 97% of such companies had experienced security breaches and other incidents that led to customer data being leaked on the so-called “Dark Web.”
ImmuniWeb said it decided to research the topic of third-party vendor risks due to “the rapidly growing sophistication and quantity of cyber-attacks targeting trusted third-parties.” The numbers are eye-opening:
- On average, each cybersecurity company had lost over 4,000 credentials or other types of sensitive data to hackers.
- 25% of the stolen credentials contained highly sensitive data such as plaintext credentials or PII, including financial or similar data.
- 63% of cybersecurity company websites either did not comply with PCI DSS requirements, used vulnerable or outdated software or lacked web application firewalls in blocking mode.
Why Hackers Go After Third-Party Vendors
The ImmuniWeb report highlights the weak spot that third-party vendors or providers have long represented in data security. In 2013, the accounts of about 110 million Target customers were accessed by hackers who found a third-party HVAC vendor with access to Target’s network. A year later, attackers used a third-party’s login credentials to access the credit card data of some 56 million Home Depot customers. And this past summer, the popular personal financial app and challenger bank Dave reported that the personal data of 7.5 million of its users had been hacked after a breach from Waydev, one of its third-party service providers. The hackers published user data on a public form and a class-action lawsuit against Dave followed.
ImmuniWeb said hackers choose to attack third-party vendors, rather than the big companies who work with them, because they believe their chances of success are higher. Hackers assume, correctly as it often turns out, that third parties “lack the internal expertise and budget to react quickly to the growing spectrum of targeted attacks.” Unable to focus on security in the way their large clients can, third parties will always tend to be the more vulnerable target.
Unfortunately, reliance on third-parties is unavoidable. In today’s interconnected world, it’s all but impossible for any organization to go it alone. Consider the findings from a survey conducted by Bomgar (now BeyondTrust) involving hundreds of IT professionals across a multitude of industries in the US and Europe. Survey respondents said that 89 separate vendors access their company networks every week, on average. Given the sheer number of external vendors companies work with, it’s not surprising that more than two thirds of survey respondents (69%) said they had “definitely or possibly” suffered a security breach due to vendor access in the past year.
The Power of Encrypting Data in Use
Although the risks are very real, companies will continue to work, often very closely, with third parties. These relationships are integral to the way business works today and can in fact be critical to a business’s success.
Resigned to the fact that some kind of security incident is more or less inevitable, many organizations rely on contractual agreements with their vendors and partners to shield themselves from legal claims in the event of a breach. Needless to say, such agreements are basically window dressing. They won’t protect an organization’s reputation when something bad happens. More importantly, they can’t protect the customers whose private information has been stolen from the ensuing harm.
More than legal cover, companies need an actual solution capable of protecting data and keeping it encrypted throughout the whole lifecycle, whether it’s being stored, accessed or shared. In other words, companies need to be able to use their data in a variety of ways without exposing it to undue and entirely avoidable risk.
On the client side, adopting a solution that encrypts data in use allows companies to engage needed third-party vendors or cloud services with less worry about their security capabilities. It’s natural to be concerned about security when working with third parties, but these concerns shouldn’t limit a company’s options. Encryption of data in use can eliminate many of those concerns and allow a business to focus on using the best solutions available to achieve their goals.
As important as a solution like this may be for clients, it is even more critical for third-party vendors. Lack of trust shouldn’t be an obstacle to new customer acquisition. When third parties adopt the ability to encrypt data in use, particularly in a way that gives customers the keys to their data, it creates peace of mind that ushers in new business opportunities. Indeed, given the legitimate hesitation that companies can have when working with third parties, being able to offer a solution like this delivers a truly differentiating competitive advantage.
While there are solutions that encrypt data at rest and in transit, the tough nut to crack has long been encrypting data in use. Of course, that is exactly the challenge companies face when working with third parties. And even if a particular third-party vendor has come up with a solution that addresses the issue, this won’t help with all the other vendors a company relies on. In other words, the optimal solution needs to be scalable so it can work with multiple organizations. A handful of one-off fixes won’t cut it.
As long-time veterans of the data industry, we are fully aware of the many challenges that come with maintaining data security in a multi-vendor world. It is what drove us to develop our solutions at Sotero. Find out how they work here.