Data Breaches And Phishing Attacks: How Third-party Vendors Can Jeopardize Your Organization

The recent pandemic-induced rush of small to medium businesses and large enterprises to get on the cloud has encouraged malicious actors to develop more creative phishing emails and other modes of cyberattacks to lure people into parting with sensitive data. Besides, the work-from-home scenario has pushed people to less secure environments. Cyber adversaries have also taken advantage of the relaxed mindset employees fall into when they are away from the secure network of the workplace.

 

Chart 1: Number of compromised data records in selected data breaches as of January 2021 (in millions) (Source: Statista)

Some very significant data breaches in the history of the digital world have taken place in the past decade. Yahoo! revealed that its data breach in 2013 affected 3 billion user accounts. And an Indian data breach resulted in stealing biometrics and iris scans of more than 1 billion people. They are two of the most significant data breaches of the century.

Most organizations have turned to third-party cloud solutions to take care of their data and storage needs. Malicious actors have breached many third-party vendors’ cloud infrastructure due to wrong configuration settings and a lack of security updates. Therefore, organizations and large enterprises must implement robust safeguards and control measures to keep watch on their information assets before a cyber-attack occurs.

 

How Third-Party Vendors Are A Risk To An Organization’s Information Assets?

The need for increased cloud infrastructure and cloud storage has compelled organizations to rely upon third-party vendors for hosting and anti-phishing solutions. As organizations grow and their functioning gets more complex, it makes sense to outsource the set of operations that external solutions can better manage. In this regard, management also needs to understand the risks involved.

An organization that depends on multiple third parties widens the risk of an attack. Malicious actors have more targets to pursue. If an organization employs four or five different vendors, for instance, then each of those vendors is a potential point of attack. Some of the most malicious data breaches in recent times are listed below.

1. Third-party security vulnerabilities remain a major source of cyberattacks. In February 2020, General Electric suffered a data breach when malicious actors accessed one of the email accounts containing sensitive data about its employees, former employees, and other beneficiaries from a third-party vendor’s system.
2. While it is necessary to perform server upgrades to enhance the system software for security purposes, how it is performed must ensure that no data is left exposed. In December 2019, cyber adversaries stole personal information belonging to customers of P&M Bank via a third-party’s hosting service.
3. The healthcare industry faced the most cyberattacks during the pandemic, of which the main threat was ransomware. According to a report by Tenable Research, ransomware attacks accounted for 54.95% of breaches, followed by email compromise via phishing accounting for 21.16% of breaches.

 

Chart 2: Healthcare Breach Root Causes. Source: Tenable Research analysis of publicly disclosed healthcare breach data, Jan 2020 – Feb 2021

 

What Can Third-Party Vendors Do To Avoid Data Breaches?

Seeking the services of third-party providers may be unavoidable given the modern-day business requirements and the complex technologies involved. Organizations should ensure that the third parties they engage with take necessary steps to minimize the risks of data breaches. Some of the measures can be:

1. Up to date security applications: Vendors must ensure that their cloud applications are secure. Security tools such as anti-phishing solutions that provide email phishing protection must be up-to-date. Implementation of two-factor authentication adds security to accounts in case login credentials are stolen.
2. Strict protocols: Follow necessary protocols while upgrading servers and software applications so that systems are not left vulnerable during critical hardware or software upgrades.
3. Anti-ransomware solutions: Ransomware accounts for the highest number of breaches. Third-party vendors should ensure anti-ransomware solutions are in place to prevent operation downtime and sensitive data from being stolen and held hostage.
4. Hardware security: Third-party vendors should also follow strict security protocols regarding hardware devices being used to access client data. Logging in to email accounts from laptops that can be stolen or left unattended are potential ways for malicious actors to access an organization’s data.

 

What Can Organizations Do to Avoid Data Breaches?

Like third-party vendors, organizations can also take specific measures to avoid data breaches.

1. Follow best practices as the first step to securing an organization’s data.
   1. Use anti-malware solutions to protect data from malicious attacks.
   2. Conduct general awareness programs regularly to impart knowledge on recognizing phishing and how to stop phishing emails.
   3. Report a suspected data breach to the respective authorities Immediately.
2. Ensure that data privacy regulations are being enforced. In the U.S, for example, the California Consumer Privacy Act (CCPA) and the New York SHIELD Act are data privacy regulations designed to protect the privacy of consumer information.
3. Assess the organization’s as well as the third-party’s cybersecurity posture. Along with it, conduct a cybersecurity risk assessment to identify the vulnerabilities in the organization, which will help in taking necessary action to strengthen its cybersecurity posture.

 

Final Words

With an increased number of organizations moving their information assets to the cloud, the challenge to keep all that data secure has become paramount. Organizations need to take proactive measures in compliance and risk assessment and follow best practices to prevent a data breach. Data breaches can cause a business to lose its reputation and consequently drive customers away.

According to a study Invisible Tech. Real Impact conducted by Infosys-Interbrand, up to 223 billion USD of the world’s top 100 brands’ value could be at risk of data breaches. Therefore, organizations and third-party vendors must take necessary precautions to protect crucial data against data breaches.