A data breach reported in early April is the latest in a string of breaches involving trusted third parties or partners. As Steve Ragan at CSOonline wrote in his post, Latest tax-related data breach could affect employees and their children, this breach affected Whiting-Turner, a Baltimore, Maryland-based construction company that services both the private and public sectors.
The data breach will affect employees and children because of a breach that occurred at a vendor hired to conduct tax services. Whiting-Turner employees have already reported fraudulent tax filings in their names.
While the construction firm severed network access for the vendor and is doing an investigation, a lot of damage is already done. “(W)e believe this incident may affect the security of your child’s information contained on that employee policyholder’s 2015 IRS Form 1095, which includes the following: name, date of birth, and Social Security number of any minor dependent,” read a letter to Whiting-Turner employees.
Third-party security, as well as the security of the service providers and subcontractors hired by third-party vendors, is a growing concern, and organizations have taken notice. According to a recently released survey by BuckleySandler and Treliant Risk Advisors (conducted by the Ponemon Institute), U.S. companies have significant concerns regarding third-party vendor security, including data safeguards, security policies and procedures.
Based on responses from 598 professionals who are familiar with their organization’s approach to managing data risks created through outsourcing, the survey found that more than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred.”
Here are some more key highlights from the study, Data Risk in the Third Party Ecosystem (.pdf):
- Companies are often uncertain if their third parties had a data breach. Half of respondents (49%) confirm their organization experienced a data breach caused by one of their vendors, but 16% are unsure.
- The number of cybersecurity incidents involving third parties is increasing, says 73% of respondents; 65% of respondents say it’s difficult to manage cybersecurity incidents involving vendors.
- Respondents admit they are sharing sensitive data with third parties that might have poor security policies. 58% of respondents say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach. Only 41% of respondents say their vendors’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.
- Companies need to strengthen the governance practices of their vendor management programs. Only 31% of respondents rate the effectiveness of their vendor risk management program as highly effective. Only 38% of respondents say their organizations establish and track metrics regarding the effectiveness of the vendor risk management program. and less than half (48%) have a vendor risk management committee.
- Boards of directors are not involved in third-party risk management programs. 62% of respondents say their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately or they are unsure.