Vendor cyber breaches are shockingly common. A study released by the Ponemon Institute in November revealed that 59 percent of respondents in the U.S. and U.K. report that a third party caused a data breach.
That includes the 42 percent of organizations that experienced a vendor-related data breach in the past 12 months. Another 22 percent didn’t even know if they’d been exposed by a third-party data breach.
Consider these recent examples:
Corporations Services Company (CSC). Routine security monitoring detected unauthorized access to CSC’s network and systems in April 2018. The company, which serves over 3,000 financial institutions, said that a database with client information containing at least 5,600 individual’s names, Social Security numbers or credit/debit card information was stolen. The company has since added controls like two-factor authentication, more firewalls and longer employee passwords.
Scottrade Bank. More than 20,000 customers’ sensitive information was exposed when third-party vendor Genpact “uploaded a data set to one of its cloud servers that did not have all security protocols in place.” It was discovered by an outside researcher.
InTouch Credit Union. A third-party data analytics service was a victim of a ransomware attack. Member Social Security number and account information was exposed. As a result, the institution changed accounts and cards for all affected accounts and provided data monitoring for thousands of members.
No matter how strong a financial institution’s own cyber defenses are, it’s really only as strong as its weakest vendor.
Ongoing monitoring of your vendors’ cybersecurity programs is critically important. This includes:
Don’t assume your vendor is protecting your sensitive data. Make sure you are taking proactive steps to ensure vendors are up-to-date on the latest threats and addressing cybersecurity thoroughly.