Over the course of the last couple of weeks, I have tried to bring to you some topics related to Cybersecurity that will be of relevance in 2021.  Rather than simply providing you with a top 5 list of this or that, I only covered a few topics so far but tried to go into more detail into each of them so that you could potentially make some use of it.

In today’s blog, we continue with the same theme, but instead we look at external, third parties.  Given the virtual world that we live in today, Corporate America is going to be much more reliant upon outsourcing their particular business functions to other businesses in order to help them meet the needs of their customers.

While this is for sure a great avenue to take it depending upon which line of business your company is in, there are always huge Cybersecurity risks that can go in with relying upon a third party.  There is no need to repeat them here, as a simple Google search can reveal all that to you.  Heck, there are even templates and questionnaires that you can use as you vet out your third-party suppliers.

So, what today’s blog is going to focus on instead of real-world examples of security breaches that have happened.  Hopefully by seeing the gravity of this, you, the business owner will come to realize just how important it is to work with third external, third party entities that you can develop a good rapport with.  So here we go:

*The Marriott Hotel Breach:

Now, this company was actually first impacted in late 2018.  But truthfully speaking, they have still been repeatedly hit over and over again, with no end in sight.  Earlier this year, right when the COVID19 pandemic hit, the company was hit again, in which a staggering 5.2 million Personal Identifiable Information (PII) datasets were stolen from customers.  Apparently, the root of this security breach came from a franchise of the Marriott Group, in which two of the employees had their accounts hacked into.

The moral of the story here: 

There is no such thing as trust anymore, in both the internal and external environments.  Also, if your third-party supplier has been impacted on numerous occasions, this should be a huge, red flag to you.  While it is important to apply the lessons learned from the first security breach, it is also equally if not more important to make sure that these lessons learned are also applied to the long-term Cyber planning, and not just for the short term.

More information about this security breach can be seen at the link below:

https://www.wsj.com/articles/cyber-daily-marriott-investigates-new-data-breach-tied-to-franchise-in-russia-11585746283

*The General Electric Breach:

This security breach occurred earlier this year as well.  In this regard, GE outsourced their documentation needs to an external, third party vendor.  Over 200,00o PII datasets were stolen, of both previous and current employees at GE.  While this is not a staggering when compared to the Marriott Hotel breach, keep in mind that this is still a very serious issue. 

The moral of the story here:

Document processing and storage has come a long way in terms of technological advancements, so now the trend is store any kind or type of document that has been scanned in or photocopied into a digital format.  Because this area does not get as much scrutiny as others would, companies tend to think that by merely deleting the data all is good.  However, this is not the case.  The electronic information and data still resides in the hard drive of these document machines, and if they get simply thrown out the door or just tossed aside, any Cyberattacker can merely Dumpster Dive for them and literally get a treasure trove of stuff that they can use for subsequent Identity Theft attacks.  Human Resource (HR) departments need to take very special heed of this, as with the Remote Workforce is going to be a permanent fixture, the emailing and efaxing of documents will be at a very high rate now.

More information about this security breach can be seen here:

https://www.cpomagazine.com/cyber-security/third-party-data-breach-of-ge-vendor-exposes-highly-sensitive-employee-information/

The moral of the story here:

Make sure that your external, third party disposes of any sort of electronic media in accordance that you have set forth.  Also, if it is spelled out in your contract to them, you have the right to go to their place of business and make sure that it is done properly.

*The Health Share of Oregon:

As most of us know in the Cybersecurity, it is the healthcare industry, that has been, and will continue to get hit over and over again in 2021, unfortunately.  But at this time, the attacks will be much more sinister in nature, with Ransomware being the primary threat vector that will be used.  But in this particular instance, it really wasn’t a Cyberattack that was to blame.  Over 650,000 PII datasets of patients on Medicaid were heisted, but the physical location in which they were housed in was physically broken into, and various laptops and other wireless devices stolen.

The moral of the story here: 

We spend a lot of time worrying about threats coming from the virtual world.  We often forget about the physical world, and the Cyberattacker is fully aware of this.  Therefore, you need to make sure that your hired third party has adequate levels of physical access entry precautions at their physical locations.  Simply one layer of defense of not is not enough, they need to be taking what is known as a “Multimodal” approach, in which more than two layers of defense are used, preferably even more.

More details about this breach can be seen here at this link:

https://www.zdnet.com/article/health-share-of-oregon-discloses-data-breach-theft-of-member-pii/

*The Expedia and Hotels.com:

In this case, an overseas third party was used (located in Spain) to process the PII datasets of customers.  Due to a misconfiguration in an S3 that was used in the AWS Cloud based platform, over 10,000,000 records were exposed to the public at large.  The extent of this damage is still being ascertained. 

The moral of the story here: 

When you are vetting out your potential, external third-party vendors keep in mind that for the most part, you will be sharing with them confidential information and data, especially the PII datasets for them to process.  In this regard, you need to make doubly sure that whatever processing and storage mechanisms that they are using are as Cyber proof as possible.  Also keep in mind that storing stuff On Prem is no longer the case.  Many companies are now opting to used Cloud based platforms such as the AWS and Azure for data storage purposes.  While these providers do offer a very robust set for protecting your mission critical information/data, you are ultimately responsible for taking a proactive approach to make sure that everything is configured properly.  If you do not know how to do this, then reach out to a Cloud Services Provider that can help you to do this.

More details about this security breach can be seen here at this link:

https://www.engadget.com/hotels-com-expedia-prestige-software-data-exposure-192013858.html

My Thoughts On This:

Finally, even despite all of the horror that these Cyber breaches have demonstrated, companies are still failing to do their due diligence when scoping out for external, third party  vendors.  This is further substantiated by a study that was recently conducted by BlueVoyant:

*22% of companies simply do not do any background checks on potential, external third parties that they may want to hire;

*32% of respondents do not conduct a regular Cyber audit check to make sure that their contracted third-party suppliers are up to snuff in terms of their own Cyber standards.

More details about this study can be seen at this link:

https://www.prnewswire.com/news-releases/bluevoyant-research-reveals-four-in-five-firms-have-suffered-a-cybersecurity-breach-caused-by-a-third-party-vendor-301136072.html

If this is not enough of a wake-up call, then this should be:  Should there be any security breach that occurs to the PII datasets that you have entrusted your third-party vendor with, they will not be at fault.  You will be!!!  Further, you will also face time consuming audits and huge financial penalties that can be imposed under the tenets of both the GDPR and the CCPA!!!