Monthly Archives: October 2022

The 2022 Data Risk in the Third-Party Ecosystem Study

Organizations are dependent upon their third-party vendors to provide such important services as payroll, software development or data processing. However, without having strong security controls in place vendors, suppliers, contractors or business partners can put organizations at risk for a third-party data breach.  A third-party data breach is an incident where sensitive data from an organization is not stolen directly from it, but through the vendor’s systems that are misused to steal sensitive, proprietary or confidential information.

Sponsored by RiskRecon, a Mastercard Company and conducted by Ponemon Institute,1,162 IT and IT security professionals in North America and Western Europe were surveyed. All participants in the research are familiar with their organizations’ approach to managing data risks created through outsourcing. Sixty percent of these respondents say the number of cybersecurity incidents involving third parties is increasing. (Click here for a link to the full study)

We define the third-party ecosystem as the many direct and indirect relationships companies have with third parties and Nth parties. These relationships are important to fulfilling business functions or operations. However, the research underscores the difficulty companies have in detecting, mitigating and minimizing risks associated with third parties and Nth parties that have access to their sensitive or confidential information.

Third-and-Nth party data breaches may be underreported. Respondents were asked to rate how confident their organizations are that a third or Nth party would disclose a data breach involving its sensitive and confidential information.

Only about one-third of respondents say that they have confidence that a primary third party would notify their organizations (34 percent) and even fewer respondents (21 percent) say the Nth party would disclose the breach.

Based on the findings, companies should consider the following actions to reduce the likelihood of a third-party or Nth party data breach.

  1. Create an inventory of all third parties with whom you share information and evaluate their security and privacy practices. Before onboarding new third parties, conduct audits and assessments to evaluate the effectiveness of their security and privacy practices. However, only 36 percent of respondents say that before starting a business relationship that requires the sharing of sensitive or confidential information their company evaluates the security and privacy practices of all vendors. Organizations should have a comprehensive list of third parties who have access to confidential information and how many of these third parties are sharing this data with one or more of their contractors. Identify vendors who no longer meet your organization’s security and privacy standards. Facilitate the offboarding of these third parties without causing business continuity issues.
  1. Conduct frequent reviews of third-party management policies and programs. Only 43 percent of respondents say their organizations’ third-party management policies and programs are frequently reviewed to ensure they address the ever-changing landscape of third-party risk and regulations. Organizations should consider automating third-party risk evaluation and management.
  1. Study the causes and consequences of recent third-party breaches and incorporate the takeaways in your assessment processes. Only 40 percent of respondents say their third parties’ data safeguards, security policies and procedures are sufficient to prevent a data breach and only 39 percent of respondents say these data safeguards, security policies and procedures enable organizations to minimize the consequences of a data breach. In the past year, breaches were caused by such vulnerabilities as unsecured data on the Internet, not configuring cloud storage buckets properly and not assessing and monitoring password managers.
  1. Improve visibility into third or Nth parties with whom you do not have a direct relationship. More than half (53 percent) of respondents say they are relying upon the third party to notify their organization when data is shared with Nth parties. A barrier to visibility is that only 35 percent of respondents say their organizations are monitoring third-party data handling practices with Nth parties. To increase visibility into the security practices of all parties with access to company sensitive information – even subcontractors, notification when data is shared with Nth parties is critical. In addition, organizations should include in their vendor contracts requirements that third parties provide information about possible third-party relationships with whom they will be sharing sensitive information.
  1. Form a third-party risk management committee and establish accountability for the proper handling of third-party risk management program. Many organizations have strategic shortfalls in third-party risk management governance. Specifically, only 42 percent of respondents say managing outsourced relationship risk is a priority in our organization and only 40 percent of respondents say there are enough resources to manage these relationships. To improve third-party governance practices, organizations should centralize and assign accountability for the correct handling of their company’s third-party risk management program and ensure that appropriate privacy and security language is included in all vendor contracts. Create a cross-functional team to regularly review and update third-party management policies and programs. 
  1. Require oversight by the board of directors. Involve senior leadership and boards of directors in third-party risk management programs. This includes regular reports on the effectiveness of these programs based on the assessment, management and monitoring of third-party security practices and policies. Such high-level attention to third-party risk may increase the budget available to address these threats to sensitive and confidential information.

To see the full study, visit the website.


Poor customer service is our greatest cybersecurity vulnerability

Bob Sullivan

When Bank of America put Hank Molenaar on hold recently, it told the Houston resident there would be a long wait time and he could press 1 to get a call back instead.  But before the bank called, criminals called, impersonating the bank, and stole his money via Zelle.  It was a Perfect Scam.  And the vulnerability that was exploited? It was poor customer service.

There’s a new, disturbing trend I’ve spotted and it’s time to ring the alarm bell. It’s hard work to hack into a bank and steal money. It’s much easier to enlist real consumers as allies to do it for you.  Theft via scam is on the rise, overtaking traditional identity theft / credential hacking, according to a recent report by Javelin Research & Strategy. Criminals are enlisting the help of account holders and other consumers with all manner of creative cover stories and impersonation schemes — the kind of stories I tell at AARP’s The Perfect Scam podcast. Financial institutions and retail outlets have laid the groundwork for this shift through years of neglectful treatment. When it comes time to make a trust choice — as a consumer, do you trust your bank or the person on the phone telling you a bank insider is stealing your cash? — all these years of mistreatment are forcing victims into the arms of criminals.

That’s what Diane Clements told me during a heart-wrenching interview for The Perfect Scam, a podcast I host. Diane and her husband, Tom, are both retired professors.  They worked their whole lives to build a humble $600,000 nest egg that would fund their retirement.  But when Diane’s computer went ballistic on her recently, and a message popped up telling her to “call Microsoft,” she followed the instructions. Soon, an operator on the other end of the line told her that all her bank accounts were hacked. It was an inside job!  And they wanted Diane’s help catching the bad guys. Diane was already struggling — her breast cancer would soon return, requiring aggressive treatment, and that only increased the frantic nature of these communications with “bank” security officials.  During the next three months, after near daily conversations with a set of online criminals, Diane and Tom slowly moved every penny of that $600,000 into accounts controlled by the criminals, all the while thinking they were helping catch a bank insider committing a crime.

I know it can be hard to understand how these crimes occur, but when you hear Diane tell her story, it makes sense (click here to listen ).  The thing that really touched me deeply was the stark contrast Diane experienced when talking with the criminals vs. talking to her bankers during the episode.  The criminals sounded kind, empathetic, thoughtful — while workers at her local bank were downright mean. One even accused her of lying about having cancer during the episode.

“They (were) really mean. They’re rude. They are not helpful to me. Nobody reaches out to me and says, Dianne, I’m concerned about you. Everybody saw me as a perpetrator, not as a victim. I still struggle with that,” Diane told me. “The contrast between them and the banks was stark. And the dissonance that caused me took its toll, because I could not understand how the banks could be so indifferent. So uncaring. Or so cavalier.”

When the day came that someone at a financial institution needed to intervene on behalf of a consumer in distress, Diane’s bank just couldn’t do that.  When a criminal told her to distrust workers at the bank, that was an easy story to sell. Years of neglect had set her up for a confrontational exchange, and that’s what she had.

You can’t mistreat people for years and then suddenly ask them to trust you.   Trust is won over a long stretch of time, through hundreds of interactions large and small. I see companies erode trust every day.  I just looked at my phone while writing this piece and saw an email from Uber with the subject line: WARNING!  It was a marketing pitch. Think about all the communications you receive that include trigger words like “verify” or “transaction,” all focus-grouped to make you click because you *think* it’s an important message about security — when it’s just an ad.  One day, when Uber really needs me to read a communication from them, I’ll probably ignore it. Or worse.

If Diane had felt some positive vibes from her bank, and if someone there had taken the time to really talk with her, she might still have that $600,000. And this scenario plays out over and over again at retailers and financial institutions across the country. For some reason, corporations have adopted the habit of treating their customers like potential criminals. In doing so, they’ve opened the door wide for the real criminals.

This is the message I delivered at a talk I gave recently to Navy Federal Credit Union employees about online scams.  We’ve given lip service for years to the idea that we should enlist consumers to help with cybersecurity. We want them to forward phishing emails they get. We want them to read our happy bulletins explaining the latest scams.  It hasn’t worked.  We need to do much more than that.  We need to make sure that consumers are on our side. We need to make sure consumers trust us. We need their hearts and minds. Criminals are enrolling consumers as accomplices, making the job of hackers so much easier.  To combat this, smart companies will invest in long-term consumer trust, deputizing their shoppers and account holders as agents who can spot scams, but more important, trust them enough to come to them when something feels wrong.

Back to Hank Molenaar. The real reason that scam worked? Bank of America was going to put him on hold for 40 minutes.  That gave criminals a big window of time to call him back first, impersonating the bank. Poor customer service was the security vulnerability. Imagine if Diane *knew* that she could send an email or place a phone call to a kind company representative who would answer her questions as quickly as the criminals did. The bank would have had a fighting chance, anyway.  Good customer service is good security.

Corporations spend billions of dollars on expensive software and experts designed to thwart sophisticated digital attacks.  That’s fine, but criminals are just sending manipulated consumers into the front door to steal money for them. Some of that cybersecurity money should be spent investing in customer service instead. When your consumers trust a random caller claiming to be from the IRS more than they trust you, cybersecurity is only one of the problems you have.

I know it’s poor form to repeat myself, but this message needs to come through — Javelin recently found that more money was lost to scams (“consumer-assisted crime”) than to credential hacking.  This is a trend with staying power. Ignore it at your peril.

I’ve spent my career wearing two hats: as a cybersecurity reporter, and as a consumer reporter.  Often, editors were confused that I insisted on covering both beats, as on the surface, they can seem quite different. Why should I care about the latest buffer overflow *and* unfair overdraft fees?  Now, you know why. They are two sides of the same coin.  And everyone should care about both.