When Vendors Open Doors To Cyberattackers

supply chain

Organizations are ramping up cybersecurity investments in response to the ever-climbing threat of data breaches and cyberattacks. Last year saw record levels of venture capital pumped into cybersecurity startups, and researchers at Gartner expect companies to increase cybersecurity spend by 9 percent between 2018 and 2019, reaching $124 billion.

But all the money in the world to secure an organization’s back office won’t necessarily help safeguard all company data. That’s because in the age of data sharing and collaboration, vendors and service providers throughout the supply chain have greater access to a business’s information, and a cyber incident at a supplier can spell trouble for its corporate customers.

A recent research report released by eSentire found that indeed, vendors present a significant cyber risk to organizations.

The company commissioned Spiceworks to survey 600 security and IT leaders about their biggest concerns and areas of focus in supply chain cybersecurity. The findings are troubling: 44 percent of survey respondents said their companies had experienced “a significant, business-altering data breach caused by a vendor.”

That’s despite the majority (60 percent) of companies surveyed having a third-party policy around data security.

Nearly 250 companies said they experienced a data breach because of security lapses at their supplier, and one-third of them said that incident impacted personal data. Twenty-nine percent said payment data was compromised, while nearly one-quarter said proprietary company data was exposed.

Perhaps of greatest concern is that only 15 percent of these impacted organizations said their supplier notified them when the data breach happened.

Researchers pointed to three recent cyber events that made headlines, including Not Petya ransomware that used accounting software company MeDoc to spread its attack. MeDoc serviced a range of organizations that were ultimately impacted as a result of the accounting firm’s Not Petya infection, from hospitals to logistics firms.

The report also pointed to data stolen from law firms and cyberattackers’ ability to use that information to obtain employee credentials about pending deals. Authorities said that data then led to more than $4 million in illegal stock trades, according to Wall Street Journal reports.

Finally, eSentire’s report said, SS&C Technologies was sued by Tillage Commodities Fund, for which SS&C acted as third-party administrator, with allegations that SS&C failed to conduct its due diligence, leading the company to fall for a $5.9 million business email compromise scam.

Organizations’ cybersecurity investments may be giving firms a false sense of security. Eighty-one percent of businesses surveyed said they consider their policies to be effective, and 90 percent review them at least once a year. The majority also said they have policies in place that allow them to initiate legal or monetary consequences on their parties in the case of a data breach, including contract termination, lawsuits and financial reimbursements.

Yet according to the report, half of the companies surveyed continued to work with that third party following a cyber incident, and 69 percent did not change their risk policies as a result of a data breach.

In its blog post summarizing the report, eSentire said that all companies must “coordinate responsibilities to prevent the ball from dropping between the players,” and must “consider obligating security requirements, and cover breach notification that follow GSPR triggers and timelines.”

The company also recommends that businesses consider cyber insurance “and other forms of indemnification,” and explore the New York Department of Financial Services’ Cybersecurity Rules, specifically its third-party vendor cyber requirements.

The report follows research published last November from Opus, which surveyed security executives in the U.S. and U.K. and found that 61 percent of companies that experienced a data breach as a result of their third-party vendor, a 5 percent increase from 2017 figures.

“The third-party ecosystem is an ideal environment for cybercriminals looking to infiltrate an organization,” said Dov Goldman, VP of innovation and alliances at Opus, in a statement at the time.