Organizations are increasingly turning to third-party vendors to save on the costs of maintaining full-time staff for specific business functions such as accounting, marketing, IT management, shipping and logistics, and customer service. However, while third-party contractors can help with your bottom line, you may be increasing your risk for cyberattacks. 

As a business owner, you have access to various types of data – from company secrets to customer's payment and personal information and supplier profiles. To maintain your organization’s reliability and reputation, you must protect sensitive information from falling into the wrong hands. Unfortunately, your organization's sensitive data is still at risk, even with the most robust cybersecurity framework implemented within your own company. Why? Because hackers aren’t only targeting you but also looking for weaknesses in the third-party vendors you’ve allowed into your circle.

The Surge in 3rd Party Vendor Breaches

The problem is that many third-party vendors are still lacking in cybersecurity practices, leading to ransomware attacks and major data breaches. In 2019, Facebook had 540 million user records publicly exposed on Amazon’s cloud computing services when two third-party Facebook app developers posted the records, including names, IDs, and even users’ comments and reactions to posts. Also, in 2019, First American Financial Corp had 885 million records exposed online due to a configuration error on its website. 

Third parties often prove to be the weak links when it comes to IoT cybersecurity. An example would be the infamous Mirai IoT botnet threat in 2016, which turned networked devices into remotely-controlled “bots” after it was hit by malware. 

In 2022, KeyBank suffered a data breach caused by its insurance services vendor, while LastPass became a victim of a data breach because of its phone number verification services provider. In August 2022, almost thirty organizations, including The Salvation Army, St. Joseph’s Medical, and Syracuse Pediatrics, were breached because of their healthcare management services provider. 

With third-party data breaches still happening left and right, organizations wonder how to mitigate their risks. Companies can’t eliminate their partnerships with third-party vendors entirely as they rely on them for business success. But in the event of a data breach caused by a third-party vendor, who is deemed accountable and responsible for the costly consequences?

What Data Protection Regulators Have to Say

In the European Union, the General Data Protection Regulation (GDPR) places the responsibility of keeping data secure on the companies that gather, process, and store the data. And in the event of a data breach, it is the business’s duty to notify both its customers and the European Supervisory Authority, even if the breach was caused by a third-party vendor. The Cyber Resillience Act (CRA) enforces essential security requirements on manufacturers of products with digital elements (HW & SW) covering, among others, security by design and vulnerability management capabilities with considerable penalities upon non-compliance.

In the US, companies are also accountable for protecting their data. In New York, specifically, insurance companies, banks, and other regulated financial services institutions are regulated by the NYDFS Cybersecurity Regulation, which covers third-party vendors. And companies offering financial services must ensure that their third-party partners have adequate cybersecurity programs and policies. 

Because third-party vendors provide crucial functions and products, organizations shouldn’t be quick to blame their business partners; rather, they should only work with vendors that align with their own cybersecurity goals. They must be prepared to be proactive and diligent about assessing and auditing their third-party vendors' cybersecurity capabilities.  

Due to the interconnectedness of IoT devices, companies should be cautious about the IoT products they acquire from third parties. Until there are stricter IoT regulations, organizations should diligently keep an inventory of their IoT assets and conduct vulnerability assessments regularly. Relying on a specialized third-party evaluation company and tailored solutions such as CyberPass becomes a must.

How the A4CEF Project helps securing 3rd party vendors breaches through cloud certifications?

The A4CEF project built capabilities, contributing to the European Cybersecurity Certification Framework (ECCF) and the EU Cloud Services (EUCS) scheme in particular.

This project has been designed to directly meet objectives of the CEF-TC-2020-2 call for proposals text, under Objective 4 – “Support to cooperation and capacity building for cybersecurity certification in line with the Cybersecurity Act”.

The scheme defines 22 harmonized categories of security requirements on controls that will be applied in the context of European Certifications once adopted. The consortium worked among others on enhancing the internal capabilities of all the consortium partners, through newly developed training material on cloud computing certification, and through practical application of the certification processes previously defined and developed at NSAI, with the conduct of related cloud computing pilot certifications. These requirements include thematics related to how to deal with supply chain management for Cloud services and how Cloud Service Providers should deal with such challenges and under what responsibilities.

If you want to know more about the A4CEF project and its activities please visit this website: https://www.a4cef.eu