Cyber Hygiene
Security Risks From Employees Working From Home
Audits Don't Solve Security Problems
Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?
Breadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong Thing
Third Party Vendors
The Rise Of DASB, Sunset Your DLP
How to Prevent Source Code Modification & Leaks
End Source Code Theft
Why Isn't DLP Preventing Data Breaches and Data Leakage?
SecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider Threats
Organizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber Attack
The Evolution of Data Protection
Ransomware stealing data before encrypting
Insider Threats Infographic
Who collected 4 billion records on 1.2 billion users?
Cisco Systems - Target of Malicious Insiders
New Yorks SHIELD Act
Insider Threat at Lion Air (Update)
How to Prevent the Lion Air Databreach
CIO IT Taiwan | SecureCircle 控管檔案讀取 權不怕合作生變造成洩密
How to Prevent the Mastercard Data Breach
Capital One Hacker Breached 30 Companies Through a Single Cloud Provider
Government Organizations Are Not Ready for Cyberattacks
How to Prevent the Boeing Data Leak
End Insider Threats Without Impacting Users Or Business Workflow
Singapore Overhauling Data Protection Practices
SecureCircle available on Taiwan Government CloudMarketplace
SecureCircle placed on UK Government Framework Catalogue
The New Federal Data Strategy
SecureCircle announces United Kingdom and EMEA Distributor, Care21
Quest Diagnostics and LabCorp in Trouble
Insider Threat in the Air Force
Disruptor Daily | What trends are shaping cybersecurity in 2019?
Disruptor Daily | What is the future of cybersecurity? Experts share their insights
How to Combat the Business Email Compromise Scam
How to Prevent Government Data Breaches
Availability Bias in Cybersecurity
How to Minimize Your Exposure to Employee Mistakes
A Look Inside Toyotas Second Data Breach
Four Keys to Data-Centric Data Protection
Asymmetric Information Causes Data Breaches
SecureCircle Introduces Send Secure for Agentless Protected Data Sharing
The Financial Consequences of a Data Breach
Insider Threats Can Happen to Anyone
Federal Data Privacy Laws Are Coming
Forget Collection 1: Here comes Collections 2-5
Forbes | 10 Industries On The Cusp Of Technological Disruption
Collection 1: Not a Big Deal?
It All Adds Up: Better Cybersecurity is a Necessity in 2019
Why New Year Resolutions Fail
9 Costly Security Mistakes
Security InfoWatch | The Last Mile Security at the Edge
2019 Security Predictions(Infographic)
Security Today | Rethinking Access Control
We love what we do - 2018 Review (Infographic)
Holiday Hacks Are Not Going Away
Solving Multi-Cloud Security
A better solution than web bugs for internal visibility
Why File Encryption is not enough - A Customer Conversation
Security, Visibility, and Control
SecureCircle Introduces Enhanced Cybersecurity Offering for Cloud-First Enterprises
Healthcare Needs a Change
What is old is new: Cold Boot Attacks
Inside Information - Data that should NEVER leave the organization
CTimes | SecureCircle and Netbridge Distribution Partnership (Chinese)
SecureCircle Announces Asia Pacific Distributor, NetBridge Technologies
Insider Threats
CSO | The hidden security problem we all need to know about
Opt-Out is more than blocking SPAM
What is Opt-Out Data Centric Protection? And why is it so important
Digital Hygiene in a GDPR World
Security Info Watch | Enterprises Beware: Cybersecurity Challenges in the Cloud
GDPR Readiness (Infographic)
The Lost Laptop
Strategic Finance | Security in a World of Zero Trust
Reading Between the Lines - The Real Impact of Insider Threat (Infographic)
Protecting Internal Data
Press & News Embargos
CSO | GDPR: Where are we now?
SecureCircle @ CIAB FEBRABAN, Sao Paulo Brazil - The Recap
California Consumer Privacy (The next generation of GDPR)
I am safe. My data is encrypted. Right?
University of Texas MD Anderson Cancer Center ordered to pay $4.3 million in HIPAA violations
Is my Air Gapped Computer Safe?
The Broken 80/20 Rule
SecureCircle and Fiandeira Tecnologia Showcase Unstructured Data Solution at CIAB FEBRABAN
SecureCircle will be exhibiting at CIAB Sao Paulo Brazil June 2018
Throw Tech Away - The Rise of a New Generation of Data Security
GDPR Compliance Tips: The Top Experts Speak
Are you ready for a password-less world?
CSO | The Impact of Human Behavior on Security
Account compromised? What about your file content?
Age old discussion: Convenience versus Security
SDxCentral | Four Security Myths You Need to Shake
Security Today | Digital Security in a Zero Trust World
MegaMinds AIthority Interview with Jeff Capone
2018 Govies Awards
Data Protection needs to be agnostic like Switzerland

Third Party Vendors

Written by 
February 17, 2020
March 31, 2020

The Achilles Heel of Data Protection

Health Share of Oregon, the state's largest Medicaid coordinated care organization, exposed personally identifiable information (PII) of 654,362 of its members, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. The breach did not occur at Health Share of Oregon itself, however. The office of one of its suppliers, GridWords IC, a medical transportation company, was burglarized and a laptop with this data was stolen.

When it comes to data protection, a company’s third party vendors are too often its Achilles heel. A company can reinforce its own security posture with the latest and greatest technology, but it still has to provide access and share information with its suppliers, and its suppliers’ suppliers, and so on up the chain. With each degree of separation, the company has less control over its suppliers’ security – especially small suppliers with modest security programs. But when there is a data breach, no matter how far along in the supply chain, the company (Health Share of Oregon, in this case) is still accountable.

“No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities”, CSO Online says. Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network.”

Third Party Vendor Breaches on the Rise
In one of the biggest data breaches in history, hackers stole 40 million credit cards from Target. The hackers were able to access this data by going through its third party HVAC supplier. Nobody remembers the HVAC company’s name, but everyone remembers Target. The breach cost Target over $200 million, plus on-going continued reputational damage to this day.

Today, high-profile data breaches are an almost daily occurrence, and if you read the details, often the root cause is a third party vendor breach. A recent survey found that nearly 60% of companies in 2018 were the victim of third-party data breaches, a notable increase over the previous year. Greatest hits include: 

  • Quest Diagnostics
  • LabCorp
  • DoorDash
  • Walmart
  • Verizon
  • Scottrade Bank
  • Italian bank Uni Credit
  • The Republican National Committee
  • Deloitte
  • Accenture

The last two examples, Deloitte and Accenture, highlight that while the weak- ink can be your mom-and-pop HVAC supplier, large suppliers are also a risk. Deloitte and Accenture are widely regarded as experts in data protection and are both paid handsomely to advise on security. The egregious breaches that they suffered were the pinnacle of embarrassment in third party security.

No Good Solution? 
CIOs agree that supplier security breaches are one of the biggest problems in data protection today, however, to date, this appears to be a problem without a no good solution. 

Contractual Terms, Auditing, and Compliance
As a first line of defense, enterprises are demanding stronger contractual terms with suppliers, in terms of the security they require of their vendors, and the legal and financial consequences of a breach. This transition is occurring at a glacial pace. Large enterprises already have thousands of vendors and are not in a position to easily re-negotiate contractual terms with all of them. At best, enhanced contractual terms might provide some financial and legal compensation, although even this is highly dependent on the size of the vendor and the jurisdiction in which they would be held accountable. Ultimately, the responsibility of a breach is still borne by the enterprise itself, particularly including the lasting reputational harm (the public remembers your brand, no one remembers the vendor).

Contracts and good-will aren’t enough. Moreover, just because a supplier is agreeable and willing, that doesn’t mean their data protection measures are up to par. Enterprises are spending more than ever to audit their partners, suppliers, and service providers, but this is extremely costly, and the great irony is that audits today assume antiquated security measures are in place such as disk encryption and DLP, which are far from a guarantee that a data breach would not occur. 

To streamline the certification and auditing of vendors, third party registries have emerged that audit and certify vendors for you. One example is Vendorpedia that certifies third party vendors comply with standards such as GDPR, NIST, and ITAR. The idea is that as an enterprise, you would not have to audit all of your suppliers yourself, but simply require any supplier to show proof of certification and audit from one of these registries. But there are many problems here. A third party registry is only useful if it reaches a critical mass of vendors, which will take a long time and may never happen. And even then, at best vendors are attesting to a certain level of compliance, however as any junior security analyst can tell you, compliant does not mean secure. 

Technology Options
In terms of technology, some enterprises ship secured laptops to their third parties and require the third parties to only work on those laptops. Others require that their suppliers work in a virtual space using VDI. These solutions are burdensome, slowing down productivity, and simply don’t scale across thousands of suppliers. 

Digital rights management (DRM) has had a resurgence of lately because it offers an attractive thesis – protect your sensitive e-mails and files and wherever they go. Even if they fall into the wrong hands, they are still protected. The notion is not wrong. Rather than implementing endless levels of audit, compliance and perimeter security, it is reasonable to assume that data will flow into your partners hands, and eventually into the wrong hands, and that the solution is protection that follows the data wherever it travels. Unfortunately, DRM remains a theoretical idea at best, just as it was 20 years ago. In practice, DRM suffers from significant user experience problems, as users are required to classify their data, and access is limited to certain file types, special applications, plug-in’s, authentication mechanisms, access controls, etc. Managing this at scale is unwieldy, and nearly impossible once the data starts flowing into suppliers’ hands who have different operating systems, applications, versions, and plug-in’s. After 20 years of DRM, there are very few success stories.

If only there was a way to protect your data wherever it goes, but with an invisible user experience that does not slow down productivity?

Third Party Data Breach

DASB: Protection That Follows Your Data, With A Transparent User Experience
Data Access Security Broker (DASB) is a limitless data protection solution, delivering transparent and persistent data protection. DASB moves access control policies from the storage system of the data to the data itself – from device-centric to data-centric.  Data is automatically protected by default, and this protection follows the data and every action that touches the data, even when it moves into a vendor’s hands. 

Whether inside your company or at partner, vendor, or customer site, a user can only access the data if they have appropriate privileges per the security policy. An administrator can revoke access to the data and change permissions at any time. Malicious or accidentally shared data cannot be accessed by unapproved parties.

In the case of Health Share of Oregon, its vendor GridWorks IC would not have had access to its members PII unless Health Share of Oregon had authorized this on its policy. As soon as it was known that the laptop with this information was stolen, an administrator would have remotely cut access to all protected data, and the malicious actor would have only had access to encrypted blobs, nothing more. Health Share of Oregon would have also had an audit trail of every access attempt on the data, even the stolen, protected, data that was now in the malicious actor’s hands, giving them further insight into the incident.  

But unlike DRM technology, DASB is completely invisible to the end user, making it fast to implement and easy to scale. DASB imposes no limits on applications, versions, file types, file sizes, repositories, developer tools, workflows, or anything else in the environment, no matter how complex or enterprise specific. Users don’t even realize it is there.

DASB Secures Your Enterprise and Your Supply Chain 
Companies who rely on third party vendors and suppliers are exposed to a greater level of data breach risk. Unfortunately, all modern companies today fit this description, and the trend is only increasing. The modern enterprise is highly interconnected with a myriad of suppliers, and no matter how strongly you fortify your own security posture, your Achilles heel will always be those third parties with whom you share information. 

DASB eliminates this risk. Whether you’re a media enterprise like HBO that collaborates with hundreds of suppliers big and small during the production of a series, whether you’re a financial services enterprise the leverages third party services from the Deloitte’s and Accenture’s of the world, a commerce giant like Target that needs HVAC, or a health provider like Health Share of Oregon, DASB persistently protects data by default so that you remain in control, even when information flows into your vendors hands. Even when it inevitably flows into the wrong hands. DASB covers you and your entire supply chain, all while providing a completely transparent experience.

Let's Chat

Prevent Data Breaches

Let’s discuss your unique cybersecurity challenges and needs.

Contact Us

If you want to notified when we post the newest content about mitigating insider threats, data breaches, protecting source code, and DASB, please subscribe to our SecureCircle newsletter.