Are your providers and vendors contributing to your data security or jeopardizing your business?
Do you know who has access to your data, how they’re using it, and what safeguards are in place to mitigate a security incident? Recent studies show that over 50% of companies cannot answer these basic and critical questions. The bottom line: Your organization’s data security is only as good as your provider’s security efforts. Make it your business to stay informed.
On Mother’s Day weekend, we saw the “WannaCry” ransomware attack hit more than 300,000 computers in 150 countries at last count. Although targets of the cyberattack included universities, government agencies, and corporations of all sizes, hospitals like the UK’s National Health Service were among the hardest hit institutions. Routine appointments were canceled, and emergency patients at several hospitals were diverted because of disruptions caused by the attack.
On a smaller scale, but no less frightening to the victims, a team of security researchers conducting what they referred to as a “routine internet sweep,” discovered a misconfigured backup server managed by a third-party vendor, causing over 7,000 private medical records to become exposed from a New York hospital. Some of those records contained extremely sensitive information.
Image source: NBC News.
Damage from the WannaCry attacks was limited due in large part by the ability of organizations to restore data from backups. However, as the New York hospital case described above illustrates, your organization’s data security depends on safeguards that cross over into your providers’ security efforts.
Given the frequency and viciousness of modern cyberattacks, findings from recent research conducted by the Ponemon Institute are particularly noteworthy. The Ponemon Institute surveyed 598 participants who manage their organization’s data security policies to understand the challenges they face when confidential data is handled by, or shared with, third-party vendors that perform functional or operational duties on their behalf. The report, “Data Risk in the Third-Party Ecosystem,” was released in 2016.
Key Research Findings
Perhaps the most stunning result was that more than one-third of the surveyed companies “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred.”
Figure 1. Source: “Ponemon Institute Data Risk in the Third-Party Ecosystem Report”
This lack of confidence in business partners is alarming because, as the Ponemon study revealed, 49% of companies have experienced a vendor-caused data breach that resulted in the misuse of sensitive or confidential information. Additionally, most respondents report that cybersecurity attacks involving third-party vendors are increasing (73%) and that those incidents are hard to manage (65%).
Given the growing threat, you might expect that companies would improve oversight of third-party suppliers. However, 58% feel that it is not possible to know if vendors have enough safeguards in place to protect against a data breach and don’t have clear accountability or processes in place to manage risk assessment of these partners.
Respondents rely primarily on declining service from vendors to indicate increasing security risks and count on legal contracts to provide insight into third-party security practices. The reason most customers don’t thoroughly review technology service providers is that 65% of companies say they don’t have sufficient internal resources to audit or evaluate the policies and practices of outside organizations.
Furthermore, respondents said they do not know the number of providers who have access to their confidential information, and of those who do have access, it’s unclear which providers share their company’s data with outside organizations.
“… it’s not any particular company, it’s just an epidemic that’s everywhere right now,” says UpGuard CEO Michael Baukes. “You see these human errors playing out daily. If you don’t understand what you have, you can’t control the processes and you can’t protect the risk.”
How to Protect Your Organization
The Ponemon Institute study reveals the difficulty companies have in mitigating, detecting and minimizing risks associated with third-parties that have access to their confidential information. However, it’s not realistic or efficient to avoid working with all outside organizations that require access to your company’s data.
Security is especially important for regulated industries, like healthcare and government. Wired Magazine found that hospitals and healthcare facilities are ideal targets for ransomware attacks. Another report, “Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,” found that healthcare organizations are not investing enough in cyber security measures—creating the perfect storm. The Wired article also points out that while employees at these companies focus on maintaining HIPAA protection, they are not trained in cybersecurity measures. Hospitals and other healthcare facilities are understandably reluctant to slow or stop operations to take planned downtime.
One way to protect the security and privacy of sensitive data is to work with third-party vendors that have proven their ability to maintain regulatory compliance and safeguard data. Vendors focused on data security invest in controls that align with compliance requirements and protect systems through regular updates. OnRamp specializes in high-tech security and compliance solutions for healthcare organizations and similar businesses with sensitive data. Learn more about our managed security services, and contact us to discuss how we can mitigate issues, together.
Additional Resources on This Topic: