Most companies today use some type of third-party data solution. But are those third-party vendors safe?
We all know that companies collect and keep our data.
And there’s a purpose for this, usually. That data is what creates personalized, relevant experiences that keep us coming back again and again. Like product recommendations based on what you’ve already bought or an email that addresses you by name.
But what you might not know, as a consumer or even an employee, is where that data goes. Or who has access to it.
It’s not uncommon for companies to store their data off-site. In fact, a lot of brands rely on third-party storage, data processing and analytics solutions, especially cloud-based ones. But that convenience might come at a cost.
You might be wondering, is this really a problem? And if so, how big is that problem?
According to research from Wiz, only 4% of organizations don’t have third-party apps in their environment. Meaning 96% of companies are potentially at risk of data leaks, account takeovers, supply chain attacks and more.
The Problem With Third-Party Data Vendors
Why do brands even bother offloading their data to a third party in the first place? For one, it’s typically cheaper than hiring a dedicated in-house team; especially if you decide on a vendor in another country, such as China or India. And for a lot of companies, that bottom line is the deciding factor. It frees up time, meaning your in-house team can focus on other, seemingly more important tasks.
Plus, as mentioned above, it’s convenient. A cloud-based data storage solution is always available to you online. You can upload your data instantaneously, and you can also access it any time you need. Many companies look at these benefits and think, “Great, this is the best solution for the company!” And while some pause to think about the risks and precautions they must take, many do not.
That’s how you get stories like the January 2022 data breach from the Red Cross. The non-profit, which stored its data with a Switzerland-based contractor, lost data on more than half a million “highly vulnerable people” — those receiving aid and charity services across the globe.
Or the older but more infamous attack on Target that occurred in 2013, when credentials were stolen from the retailer’s third-party vendor. The result? Attackers gained access to customer names, phone numbers, email addresses, credit card numbers, credit card verification codes and other sensitive personal data.
These types of attacks and breaches occur every day. In fact, the FBI claims they receive more than 2,300 complaints regarding cybercrime (personal data breaches, phishing attempts, ransomware attacks, etc.) each day — a whopping 552,000+ per year. And the cost of these cybercrimes? $6.9 billion in 2021 alone.
Why do these attacks happen? Are companies lacking the resources or knowledge on how to keep data safe? Are they failing to do their due diligence? Or are hackers simply too smart to keep out?
Related Article: A Data Breach Will Happen to You: Here’s What to Do
It’s All in the Setup
One of the first things a company does after purchasing or subscribing to a third-party storage solution is set it up. And that’s where part of the problem lies. Any platform you use, whether related to data or not, has hundreds of settings. And as you customize your cloud-based data platform, in a perfect world, only you have access to it, only you know it exists and it is not publicly available online.
But this is not a perfect world. Bill Malik, VP of infrastructure strategies at Trend Micro, pointed out that other team members will invariably have access to this platform — those who are knowledgeable about data safety and those who are not. The third party itself may have access to this data.
“And if any one of those people gets any one of those 500 or so settings wrong,” said Malik, “then that information is visible.” He added, “The sad truth is that although there have been four or five incidents in the past five years where the cloud provider messed up and made stuff visible, the other thousands of security breaches have all been because the user’s setup was misconfigured.”
Therefore, those purchasing the platform, and those configuring it, ultimately have the responsibility of knowing how to use it. “If I buy a car and I drive it into a tree, that’s not the manufacturer’s problem,” said Malik.
Who Has Permission?
A lot of third-party storage platforms are complex, to the point where companies don’t understand how to use them and don’t know what permissions they’re giving away.
The Wiz discovered that 82% of companies using third-party cloud-based vendors give these vendors access to all cloud data — with more than 90% of those companies completely unaware of it. And these vendors do not need this access for any (good) reason. On top of that, 76% of organizations had at least one program that would allow for a complete account takeover — a privilege that should never go to a third-party vendor and should even be closely monitored in-house.
One privilege data storage vendors often bake into their platforms is read-only access. And companies that see this privilege often overlook it, thinking it’s likely necessary for the third party to do its job and it isn’t associated with any real risks.
However, if the wrong person gains this privilege, it could lead to the leakage of personal information, company secrets and other data stored in the cloud — even by accident. In fact, human error is the leading cause of data breaches, according to Netwrix. While vendors may say they require read-only access for easier deployment, it’s not necessary.
“Unless the hosting vendor also provides services to the brand (e.g., data maintenance, processing) there should not be a scenario where the storage vendor has access to the data,” said Kristina Podnar, global digital policy adviser at XRSI. “The data should be encrypted and only those individuals granted permission by the brand (presumably brand employees with a dedicated admin account) should be able to access the data.”
From Third-Party to Third-Party
One common problem Malik pointed to is the hand-off of information. For instance, say you give your data to a third party to perform analytics with the agreement that the information will never leave the United States. Then that third party hands off the project to another team, who may even hand off the data to another team. And somewhere down the line, that agreement is lost, and now the data is in another country.
One risk is the (customer and company) data is no longer protected — information like credit history, bank account information, addresses, etc. And someone could use this data to potentially make fraudulent purchases and steal identities. That’s the most obvious risk. But experts have now pinpointed a second, even larger risk.
“It’s not just the fact that the guy may pick my pocket,” said Malik, “but before he does, he’s going to take a look at my contact list and my social media history and come up with a profile that will then make it easier for me to be targeted.”
And who is doing the targeting? It could be marketers. It could also be political action committees looking to sway your opinions and actions. It could even be nation states that want to disrupt things in the United States — not dissimilar to how Russia deploys troll farms to create tension, spread misinformation and spark division.
Related Article: Data Best Practices: Integration, Enrichment and Integrity
How to Protect Your Data and Your Company
At this point, the situation sounds pretty bleak. Third-party vendors come with a lot of risks — risks that many organizations aren’t fully aware of.
But if you’re a part of a leadership team that works with and sets up third-party solutions, there is something you can do about it. It all comes down to asking the right questions and empowering yourself (and your team) with knowledge.
Ask Lots of Questions
When searching for a third-party data solution, one thing you should do is ask questions — a lot of them. Podnar offered up a list of questions organizations can ask to assess third-party vendors:
- Has the vendor identified policies and governance (individual privacy protection controls, responsibilities for marinating data security, clear identification of a data steward as a point of contact for the brand)?
- Does the vendor have an acceptable use policy in place, and are regular checks and trainings taking place?
- What does physical security look like (securing access to any areas where sensitive data is stored, monitoring of physical access)?
- Is there clear network mapping, with applications, data and network layers denoted?
- Is there an inventory of assets?
- Is authentication managed by categories?
- Are there layered defenses?
- Is there secure configuration and access control?
- Are there firewalls and intrusion detection and prevention systems in place?
- Does the vendor practice automated vulnerability scanning?
- Does the vendor regularly perform patch management?
- Has the vendor ensured that all unnecessary services are shut down on the server?
- How does the vendor deal with incident handling? Is there a plan in place?
- At what intervals does the vendor perform audit and compliance checks? Are the monitoring mechanisms in place?
- Is the vendor certified (e.g., SOC2)?
Look at the SBOM
The software bill of materials (SBOM) is like the nutrients label on a can of soup, said Malik. It’s the list of “ingredients” that make up a piece of software. “It’ll tell you which pieces of this code that you are bringing into your system came from where and when,” he said.
Whenever you decide on a new third-party solution for your organization, it’s imperative to take a look at the SBOM. If there is a defect in a product, this information will allow you to analyze your own setup and see if it might be compromised. SBOMs are voluntary, but there are standards on how to build one, including what kind of information they can have.
“The idea has been picked up especially in light of SolarWinds,” said Malik, referencing a 2020 supply chain attack on the SolarWinds Orion system. Hackers gained access to the networks, systems and data of thousands of SolarWinds customers — public and private organizations including local, state and federal agencies.
Once platform vulnerabilities are discovered, Malik said organizations can run alerts against the known exploited vulnerabilities list from the Cybersecurity & Infrastructure Security Agency (CISA).
Create Contractual Protections
Once you decide on a vendor, it’s necessary to have contractual protections in place, according to Malik. You must specify what restrictions are necessary and be clear about how the data is to be treated.
It’s not enough to have a conversation about your expectations. These requirements must be in writing and agreed upon by all parties involved.
“Ultimately, the third-party is the custodian, but they’re not the responsible person,” said Malik. “If there’s a security breach, the company that originally had the data will be held responsible. You can’t just pass off that kind of liability.”
At a minimum, you’ll want a contract that stipulates:
- The third party will handle data in accordance with your security standards
- The third party will comply with all government and industry regulations
- The third party will rectify any known vulnerabilities on networks processing your data
- The third party will follow all federal and state regulations regarding security breaches, should one occur
Data Security Is a Must in Any Third-Party Vendor Relationship
Third-party vendors come with a host of risks and complications — but they aren’t going away anytime soon.
“We’re living in an era of radically distributed trust,” said Malik. “And that itself is a problem that leads to a certain fragility in our infrastructure.”
It’s not likely that news coverage of data breaches and cyberattacks will disappear anytime soon. But that doesn’t mean you can’t protect yourself or your company. Educating yourself and your team on proper data security and management could mean the difference between garnering trust with your customers or ending up in a headline yourself.