The Beginning of a New Era - Why You Need Third-Party Risk Management

There were numerous breaches that took place in 2022 due to poor third-party risk management. Businesses got breached and because of operational vulnerabilities, their end-users (other businesses) were then also impacted by the breaches. It’s tough to imagine that you’ve been doing everything you can to be safe just for you to be unknowingly vulnerable because of a vendor. We would all like to trust our vendors and business partners and believe they are taking the necessary precautions to be safe and lower the risk, but the reality is that we cannot assume. Let’s review some of the third-party breaches and a guide every company should use for vendor due diligence.

5 Third-Party Breaches from 2022

Toronto Symphony Orchestra

Email provider WordFly, admitted to having a network disruption on July 10th. Yesterday, the Toronto Symphony Orchestra warned its patrons that their personal information may have been compromised.

‍

“We have come to learn that WordFly was subject to a ransomware attack,” the TSO said in its email. “As part of the incident, the attacker exported customers’ information from the WordFly environment, including patron information that WordFly was handling on behalf of the TSO.” (cp24)

Gaming Company Gets Attacked

Gaming company Bandai Namco confirms a ransomware attack, after a couple of weeks of rumors going around. Their Asian regions, excluding Japan, were breached by a third party on July 3rd, 2022. Information belonging to the company seems to be on the dark web, implying they were the victim of a double extortion. A double extortion is when a company refuses to pay the ransom, the cyber criminals release private data on the dark web.

‍

The company stated: “There is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about [the] existence of leakage, scope of the damage, and investigating the cause.” (techcentral)

‍

The Marriott Hotels Breached

The hotel chain Marriott, got breached for the third time in the last five years. Luckily this time, only 20GB of data was stolen. Up to 400 customers and employees will be notified that their information might be compromised. A good portion of what was stolen was internal documentation. The hacker / criminals have yet to identify themselves. The hotel chain notified law enforcement. (CyberScoop)

‍

Sunwing - 188 Flights Delayed

‍

Sunwing passengers were stranded as a result of a breach which took place at one of their external partners; aka 3rd party vendor, Airline Choice. According to Airline Choice, hackers accessed and compromised systems containing data. Many people were told their flights were delayed. Others were stranded, unable to get on a flight. Boarding and check-in features were impacted and it became a nightmare for both passengers and Sunwing staff. 188 flights were impacted because of the hack. (CityNews)

‍

German Library Service Struggling to Get Back Up and Running After Cyber Attack

‍

The attack on a German library service happened earlier this April and they are still trying to get services back to normal. Apparently attacked by the Lockbit Ransomware Group, they targeted the library’s service provider. The platform has over 200 libraries across Europe offering e-books, electronic newspapers, magazines, audio books and music. (TheRecord)

‍

‍

Preparing for the Due Diligence of a Vendor

Based on the above attacks and countless other we hear about, we recommend scheduling a meeting with the person or team responsible for IT within your organization.

‍

Before the meeting, explain the importance of the meeting and why you are requesting it in the first place. Your reasons may include

1. This is part of your (new) cyber security strategy is to perform due diligence of a vendor before working with them,
2. You need specific pieces of private information before moving forward and they are best communicated in a meeting
3. You learned from Assurance IT that vendor risk management is necessary because companies are as only as strong as their weakest link – which could be a vendor.

‍

We also recommend requesting their governance and policy handbook, the contact information of their data protection officer and a list of vendors they use to protect their environments.

‍

‍

Questions to Ask Your Vendors

1. How often do your employees have security awareness training?
2. Do you use multi-factor authentication (MFA)?
3. Do you have a clear inventory of your current assets? (physical, virtual and cloud infrastructure)
4. How are you currently protecting your endpoints?
5. Is there a formal incident management program in place?
6. Where do your data backups reside?
7. Do you meet the 3-2-1 data backup rule?
8. Do you encrypt data-at-rest and in-transit?
9. When was the last time a penetration test (pentest) was conducted? What changes did they make after the test?
10. Do you automatically patch operating systems and applications?
11. How are access restrictions managed?
12. Do you have any industry standards certifications?
13. Have you been cyber attacked before? How did you mitigate risk afterward?

‍

‍

Third-party risk management will be the baseline for security for companies in the near future. Employees will not risk choosing a vendor that may later cause embarrassment and potential lawsuits. Employees won't sacrifice their job for a vendor. There's too much at stake. And so, vendor risk management will be the norm.