While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge.
If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk and cybersecurity strategy, because third-party data breaches will dominate the threat landscape in 2020.
Data breaches and third-party cyber risk
This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors.
Six years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent.
In the last year, for example, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container.
Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect ..