In today’s interconnected business landscape, companies rely heavily on third-party vendors and suppliers to streamline operations, enhance efficiency, and drive growth. In fact, one survey highlighted that a company’s average SaaS portfolio contains 371 applications. The efficiencies gained from relying on third-party vendors has led to this scale of use, including in the core operations of many businesses. CIOs benefit, yet face a huge challenge in managing this portfolio.
Unfortunately, this intricate web of relationships has also inadvertently created a new cyber attack surface for companies, making third-party data breaches an increasingly prevalent and devastating threat. When a core third-party vendor is compromised, the ripple effects can spread rapidly throughout the entire supply chain, impacting not only the primary target but also its entire client base.
The consequences of being unprepared for such incidents can be catastrophic, leading to severe financial losses, operational disruptions, regulatory penalties, and irreparable reputational damage. Companies that fail to proactively recognize their dependency on their vendor ecosystem and prepare for their potential compromise are leaving themselves vulnerable to costly data breaches and crippling operational outages.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
Change Healthcare: A Massive Sector-Wide Impact
The recent ransomware attack on Change Healthcare, a leading provider of healthcare technology solutions, serves as a stark reminder of the far-reaching consequences of such incidents. According to the American Hospital Association (AHA), Change Healthcare processes a staggering 15 billion healthcare transactions annually, touching one in every three patient records in the United States.
The ripple effect of this attack has been disastrous, with 74% of hospitals surveyed by the AHA reporting direct impacts on patient care, including delays in authorizations for medically necessary treatments. Moreover, 94% of hospitals have experienced financial repercussions, with more than half describing the impact as “significant or serious,” and a third reporting disruptions to over half of their revenue streams.
This incident highlights the critical role that third-party vendors play in the seamless operations of businesses across industries. When these core partners are compromised, the consequences are far-reaching, affecting not only the primary target but in many cases their entire client base. In the healthcare sector, the implications are particularly severe. Delayed care, disrupted revenue streams, and compromised patient data can have life-threatening consequences, underscoring the critical importance of robust cybersecurity measures across the entire healthcare ecosystem.
The healthcare sector is not alone in grappling with the consequences of third-party data breaches. Numerous recent high-profile incidents have demonstrated the vulnerability of supply chains and the severe implications for businesses and their customers.
Other Core Third-Party Breaches & Their Implications
In May 2023, the Progress Software MOVEit Breach exposed the vulnerability of the company’s popular managed file transfer software, enabling unauthorized actors to access and potentially alter or delete sensitive information. This breach impacted a wide range of organizations across multiple industries, including HR software providers, media companies, and government agencies. By one count, over 2,000 organizations were reportedly attacked via this vulnerability with consumer data stolen from over 62 million people.
The more recent Okta breach, which occurred in October 2023, further underscores the gravity of core third-party data breaches. Okta, a leading identity and access management platform in use by companies globally, initially believed the breach of their environment only affected about 1% of their customers. About a month later, they revealed that data from all of its customers were in fact compromised. Given Okta has about 18,000 customers and its software is used to access other software products, the cascading impact is immense.
The direct financial implications of third-party data breaches are staggering. According to the Ponemon Cost of a Data Breach report, the average cost of a data breach in 2023 was $4.35 million, with the healthcare industry facing an even higher average cost of $9.23 million per breach. With only about 30% of the cost of an incident relating to direct cybersecurity response efforts, these costs encompass a wide range of factors, including legal fees, communications costs, regulatory fines, and outside support.
Beyond the direct financial toll, third-party data breaches can have far-reaching consequences. Lawsuits are common post-breach: for the MOVEit breach alone, class action lawsuits were filed against Progress Software itself, IBM for servers it ran for multiple companies that were breached, and many others using the software. Data breaches can also lead to identity theft, financial fraud, and compromised personal and medical information, eroding consumer trust and damaging brand reputation, leading to stock price drops and lost revenue. It’s an understatement to say the long-tail cost of core third-party breaches are significant.
Further, the recent convictions and charges against various industry CISOs and other C-level executives by a number of US federal agencies should make it increasingly obvious of the risk of personal liability when dealing with cyber incidents. The threat of criminal charges and whistleblowers reporting internal misconduct has heightened awareness of the challenges of the existing core third-party vendor security readiness, prompting a focus on users building out detailed incident response plans for these events.
These incidents are not isolated occurrences but rather part of a growing trend. As businesses continue to embrace outsourcing critical operations to third-party vendors, the attack surface expands, creating new vulnerabilities that cybercriminals are eager to exploit.
Proactively Preparing for Third-Party Vendor Breaches
Given the deep operational reliance companies now have on their core third party vendors, their teams must take a proactive approach to mitigating the risks associated with those vendors being compromised. First and foremost, organizations should prioritize cybersecurity during the vendor sourcing and selection process. Conducting thorough due diligence on potential vendors is key, including evaluating their information security practices and giving precedence to those with demonstrable maturity in this area.
Organizations should consider requiring vendors to independently verify their information security practices through certifications or accreditations against established frameworks, such as SOC 2 and ISO 27001, and/or via self-attestation to cybersecurity compliance frameworks like the NIST Cybersecurity Framework (CSF). This should provide an additional layer of assurance that core vendors are proactively addressing their cybersecurity program.
Organizations should have well-defined policies governing when and how sensitive information can be shared with third parties, including any subsequent downstream vendors in their supply chain. Once core third-party vendors are on board, enforcing these policies will further minimize risk of incident impacts. Continuous third-party vendor monitoring is also useful, potentially including monitoring news and other sources for potential data breaches.
A critical aspect of mitigating core third-party vendor risks is gaining a comprehensive understanding of the types of processes and data involved in each relationship. Organizations must have a clear grasp of the sensitive information being shared with vendors, including personal data, financial records, intellectual property, and other proprietary information. By mapping data flows, organizations can identify potential vulnerabilities or points of exposure within the supply chain, allowing them to take proactive steps to secure these areas. Ultimately, a comprehensive understanding of data flows empowers organizations to make informed decisions about appropriate safeguards, risk mitigation strategies, and data protection measures to ensure that sensitive information remains protected throughout the entire vendor lifecycle.
Effective vendor offboarding and termination processes are also critical to preventing third-party data breaches. Organizations must ensure that access permissions and credentials are revoked promptly upon the conclusion of a vendor relationship, mitigating the risk of accidental or unauthorized access or data exposure.
Ultimately, addressing the escalating threat of third-party data breaches requires a collaborative effort from all stakeholders, including businesses, vendors, policymakers, and consumers. Organizations must prioritize cybersecurity as a strategic imperative, allocating appropriate resources and fostering a culture of security awareness across all levels of the organization.
Given companies clearly face increasing risk for third-party breaches, they must embrace a paradigm shift in their approach to incident response, emphasizing proactive readiness, repeatability, and multiple comprehensive playbooks that encompass the breadth of incidents they’d face from breaches of their core third-party vendors. This includes not just the initial investigation and containment, but also navigating legal and regulatory obligations as well as communication strategies across various internal and external stakeholders and customers
Preparing for third-party vendor breaches through training, simulation, and exercises is crucial for organizations to effectively respond and mitigate the impacts of such incidents. Regular training and simulated exercises help organizations identify potential vulnerabilities, test their incident response plans, and ensure that all stakeholders, including security, legal, IT, communications, and decision-makers, are aligned and prepared to handle core third-party vendor breaches. Understanding the impact a core vendor outage or compromise has on operations is a key first step in proactive readiness.
Embracing technology automation, such as with the BreachRx incident response platform, not only meets all these requirements but also enhances team collaboration while protecting legal privilege, accelerates response times, and reduces the impact of incidents. Automation enables teams to decisively prepare for security incidents, fortifying their cyber resilience across the organization and reducing incident costs.
The escalating number and impact of core third-party data breaches should be a clear wake-up call for businesses and organizations across industries around the globe. The far-reaching consequences of these incidents, from financial losses to compromised customer data and support, and eroded consumer trust, demand immediate and concerted action. By prioritizing the means for cybersecurity incident response and embracing a proactive approach to managing core third-party risk, businesses can mitigate the risks of breach impacts and build a more resilient and secure foundation upon which they can reliably operate.
Take the risk out of your breach response
Automate your incident response today
