As businesses small and large come to grips with security breaches being more certainty than possibility, it’s going to take a more open relationship between enterprises and their vendors to prevent the worst from happening.
Data breaches are are costly. With credit score alert services, consultant fees, incident responder labor hours, legal fees, and communication efforts — not to mention a host of other costs — Ponemon estimates the average breach to cost total at $1.57 million. The cost goes up if the breach involves a third party, from $154 per individual record to $170. Sixteen dollars might not seem monumental, but consider the average breach involves more than a million data records. In the health care industry, Ponemon says the average cost is even greater at $363 per record.
Dark Reading recently reported that as a result of the increasing costs, companies are turning to cyber insurance policies more as a risk management measure. And those companies are including liability clauses for third-party vendors. This might be because a large percentage of executives and cyber insurance policy holders that believe third-party vendors should be liable for damages if those vendors do not uphold their “due diligence.”
The most detailed and ongoing case study on the complications and snowballing fees involved with a high profile breach still belongs to Target. Most of the public, and even the bystanding victims of Target’s credit card breach, have likely moved on since the event in 2014. But for Target, the ordeal’s conclusion will not be anytime soon. In September a St. Paul district judge ruled that banks can levy their case against Target for costs associated to the breach, after the retail giant already paid a $67 million settlement to various financial institutions that had to issue new Visa cards. All for what started as a third-party vendor’s security oversight. Or was it? After all it was Target that first issued the vendor’s remote access to its HVAC systems. And Bloomberg reported that there were warnings that failed to spur action before the attack.
Some industry analysts say what’s ultimately needed is a combined commitment to security from both third-party vendors, and the enterprises that employ them. And it might be best to start with the basics, as Drew Wilkinson, Booz Allen Hamilton senior associate and cyber risk expert, recently told Computer Weekly. Companies need to proactively manage their relationships with vendors to minimize risk, and periodically check in to make sure access levels and policies are as strict as they should be, Wilkinson said. Many companies, he said, do not even know what data third-party partners have access to, nor what data is most important. Deciding what data is most important, assessing security for all vendors, and prioritizing protection are also a good places to start.
Soon security diligence may not be a choice on either side of business relationships. Government agencies are creating more laws to enforce good security practice, such as the HITECH Act for health care, the EU data protection legislation taking effect in 2016, and of course the Personal Data Protection and Breach Accountability Act from last year — which would have included not only fines but potential jail time. The bill died in Congress in 2014.
Since business relationships with third parties will never go away, and neither will the liability issue when it comes to data breaches, it is a good idea for enterprises to get out in front of it. Open a dialogue with all third-party business partners and make sure the concerns and efforts around security are mutual. PWC — along with quite a few other consulting firms — has suggestions for implementing a third-party risk management program. Often the focus for these risk assessments is on financial institutions, but the same principles should apply to all third parties. Even the HVAC company.