third-party data breaches

Third-Party Data Breaches: Weakest Link in Cybersecurity

One problem that many companies discover as they develop cybersecurity measures is that third-party data breaches is the weakest link in its data management chain. Many companies find it a business necessity to outsource some, if not all, data management, storage, and processing activities to third-party vendors. These vendors may include cloud hosting companies and other software as a service providers. Putting your company’s valuable data into the hands of a third party carries some risk, especially concerning the security of that data. Your company could have the most sophisticated cybersecurity protections in place to protect data, but if your third-party vendor has a lax attitude about cybersecurity, then your data could be at risk of being exposed in a data breach.

Third-Party Data Breaches are Serious Threat to Business Cybersecurity

It is not uncommon for hackers to gain access to businesses through third-party vendors and to compromise data. A business might have its own cyber security protections in place, but must grant access to third parties. When network access spans outward from the business to third parties, it creates a potential weakness in the security of a network. Third party vendors make for good entry access points to company computer networks because for every link in the chain of access to the company’s computer network there is an increased likelihood of a vulnerability in the cybersecurity measures that protect the network, which can be exploited.

According to Soha Systems Survey on Third Party Risk Management, 63% of all data breaches are linked in some way to third parties such as contractors, suppliers, or vendors that have access to a business’ system. Businesses are responsible for the data that they collect, transmit, use, and process, even if it is entrusted to a third-party vendor.

How Can Businesses Make Cybersecurity a Top Priority for Third-Party Vendors?

One way that a business can make cybersecurity a top priority for third-party vendors is through the use of a business agreement with the vendor. When hiring a third-party vendor, businesses can benefit from negotiating a contract with the vendor that specifically details the types of security measures and safeguards that the third-party vendor must use when handling data for the business. For instance, business can:

  • Utilizes a service-level agreement. This can be helpful in providing specific measures of security performance that the vendor must produce or provide.
  • Request that the vendor perform periodic security assessments on its systems.
  • Require an audit clause to be included in the agreement. This could enable the business to verify the third party vendor’s compliance with specific security protocols by way of an independent security audit.
  • Limit the third party vendor’s access to the business’s network. Only grant access to what the vendor needs to do its job and no more.

Having a business contract with the third-party vendor makes cybersecurity a priority for that company. The business can help mitigate risk associated with working with a third party. Third-party vendors need to know that their clients take cybersecurity seriously, so that they will take it seriously as well.   

Businesses are constantly facing new challenges concerning cybersecurity and third-party data breaches. Taking steps to protect your business by making security a priority for your vendors is a great first step to mitigating some of your business’s cybersecurity risk.

Our data breach attorneys can assess your current risk profile, or in the case of a data breach, help with notification compliance. Contact us using the form on this page or call us at 855-473-8474.

Image credit to Flickr user Blue Coat Photos.

Editor’s note: this post was originally published in December, 2016. It has been updated for content and clarity.

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *