Welcome to 3rd Party Breaches, brought to you by IBM. In this video, we'll learn what constitutes a 3rd party breach. We'll review response methodologies. And then learn what types of breaches are most common for 3rd party vendors. Supply-chain attacks also known as value-chain attacks or third party attacks, are attacks that originated from one of your third parties that has access to your system. Which includes data management companies, law firms, email providers, web hosting companies, subsidiaries, vendors, subcontractors, any external software or hardware used in your system, even the javascripts added to your website to collect analytics, and the list goes on. In a 2018 Ponemon Institute study, 64% of businesses said they were mostly concerned with a third party misusing or sharing confidential information with other third parties. Of those that they surveyed, 41% actually encountered that issue. So while it was the number one concern across all the companies, it was number two in events that actually happened. To give you more context in the landscape of third party breaches, consider these quick statistics. $21 million is the average annual spending on vetting the third party companies. However, 64% say the process is used, or only somewhat, or not effective at all. 40% of organizations use manual procedures like spreadsheets, and 51% employ risk scanning tools to vet their third parties. However, 34% said the results of these tools were only somewhat valuable while 20% said the results don't provide any insights. Third parties are spending 15,000 hours a year on completing assessments at an average cost of $1.9 million annually. However, 55% of these assessments only somewhat or do not accurately reflect their security posture. Only 8% of assessments resulted in action, such as disqualification of a vendor or a requirement to remediate the security gaps. However, if assessments revealed gaps only 26% of respondents say their organisations terminated the relationship. To get a better idea of what these breeches look like, I'll refer to a norm shield study. The top three uses by a third party where cloud-based storage, service or hosting providers, online payment, credit card processing or point of sale systems, or JavaScript on websites, used for web analytics visitor tracking etc. While 2018 and 2019 brought record-breaking third party breaches, 2020 is already off to a scary start. This graph is by no means a comprehensive list of every third party breach that's happened this year so far, but it's a good representation of the heavy hitters that have happened already, starting with Instagram in January, and the latest is Marriott in April of 2020. Personal information and financial information seem to be the trending data that was leaked through every one of these breaches. Some are even more severe with social security numbers and driver's license numbers being exposed, leading to a high increased chance of identity theft. So how did third party breaches become such an issue? Well, when companies began extensively outsourcing and globalizing the supply chain in the 80s and 90s, they did so without understanding the risk suppliers posed. Lack of physical or cyber security at supplier sites could result in a breach of corporate data systems or product corruption. In the beginning, only the most basic questions were asked, like how well do suppliers vet their own personnel, of particular concern or the personnel and supplier companies that have access to data systems or faculties of their customers? They ask how well do the vendors vet their service providers? Any service provider, from janitorial services to system maintenance or any provider with access to company information, poses a potential cyber risk. And how well do the vendors vet their products in software? A particular concern are products with embedded IT that will be integrated into their customer systems. As more and more concerned grew, we moved from questions to building frameworks and best practices. The National Institute of Standards and Technology created a supply chain risk management guidance. It says that a primary objective of the cyber supply chain risk management is to identify, assess and mitigate products and services that may contain potentially malicious functionality, or are counterfeit, or are vulnerable due to poor manufacturing and development practice within the supply chain. Cyber supply chain risk management activities may include, determining cyber security requirements for suppliers. Enacting cyber security requirements through formal agreements such as contracts. Communicating to suppliers how those cyber security requirements will be verified and validated, think of auditing. And verifying that cyber security requirements are met through a variety of assessment methodologies. And then governing and managing all of the above. The third party ecosystem is an ideal environment for cyber criminals looking to infiltrate an organization. And the risk only grows as these networks become larger and more complex, says Dove Goldman, VP of Innovation and Alliances of Opus. To stay ahead of the risk companies and executives need to collaborate around plans for third party detection and mitigation that supports automation technology and strong governance practices. In 2018 companies and executives did collaborate to come up with a list of best practices on how to altogether avoid a third party breach. The first was an evaluation of the security and privacy practices of all third parties. There's a need to conduct regular audit and assessments to evaluate security and privacy practice of third parties. The second is an inventory of all third parties with whom you share information. You need to track all third parties that have access to sensitive data, and how many of these parties are sharing that data with others. The third is a frequent review of third party management policies and programs. Implement formal processes to regularly evaluate security and privacy practices of third party and Nth parties, particularly to address new technologies and innovations like the Internet of things devices. Next is the third party notification when data is shared with Nth parties. We need to mandate that third parties provide information and transparency into their Nth party relationships, prior to sharing sensitive data. And last, an oversight by the board of directors. We need to involve senior leadership and boards of directors in third party risk management programs. High-level attention to third-party risk may increase the budget available to address these threats.
