Third-party data security failures put everyone’s data at risk

Third party security CSC Blogs

A data breach reported in early April is the latest in a string of breaches involving trusted third parties or partners. As Steve Ragan at CSOonline wrote in his post, Latest tax-related data breach could affect employees and their children, this breach affected Whiting-Turner, a Baltimore, Maryland-based construction company that services both the private and public sectors.

The data breach will affect employees and children because of a breach that occurred at a vendor hired to conduct tax services. Whiting-Turner employees have already reported fraudulent tax filings in their names.

While the construction firm severed network access for the vendor and is doing an investigation, a lot of damage is already done. “(W)e believe this incident may affect the security of your child’s information contained on that employee policyholder’s 2015 IRS Form 1095, which includes the following: name, date of birth, and Social Security number of any minor dependent,” read a letter to Whiting-Turner employees.

Third-party security, as well as the security of the service providers and subcontractors hired by third-party vendors, is a growing concern, and organizations have taken notice. According to a recently released survey by BuckleySandler and Treliant Risk Advisors (conducted by the Ponemon Institute), U.S. companies have significant concerns regarding third-party vendor security, including data safeguards, security policies and procedures.

Based on responses from 598 professionals who are familiar with their organization’s approach to managing data risks created through outsourcing, the survey found that more than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred.”

Here are some more key highlights from the study, Data Risk in the Third Party Ecosystem (.pdf):

  • Companies are often uncertain if their third parties had a data breach. Half of respondents (49%) confirm their organization experienced a data breach caused by one of their vendors, but 16% are unsure.
  • The number of cybersecurity incidents involving third parties is increasing, says 73% of respondents; 65% of respondents say it’s difficult to manage cybersecurity incidents involving vendors.
  • Respondents admit they are sharing sensitive data with third parties that might have poor security policies. 58% of respondents say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach. Only 41% of respondents say their vendors’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.
  • Companies need to strengthen the governance practices of their vendor management programs. Only 31% of respondents rate the effectiveness of their vendor risk management program as highly effective. Only 38% of respondents say their organizations establish and track metrics regarding the effectiveness of the vendor risk management program. and less than half (48%) have a vendor risk management committee.
  • Boards of directors are not involved in third-party risk management programs. 62% of respondents say their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately or they are unsure.

RELATED LINKS

For enterprise workers, convenience trumps security

5 common passwords sins that weaken security

6 ways your end users sabotage mobile security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: