This article originally appeared in Information Security Buzz on November 19, 2018.
A new report* by the Opus and the Ponemon Institute reveals that 61 percent of US companies surveyed said they have experienced a data breach caused by one of their vendors or third parties. What is even more alarming is that 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months and only 37 percent indicate that they have sufficient resources to manage third-party relationships.
Chris Olson, CEO at The Media Trust:
“Consumer data is money and companies in general have lots of it. That data is also increasingly vulnerable to misuse and breaches, and, as a result, under growing regulatory scrutiny. With GDPR now in force, the California Consumer Privacy Act passed, and a new federal data privacy bill under review that criminalizes inaccurate or incomplete information on data privacy and security practices, companies will need to thoroughly map what data they collect—whether on their own or through vendors and third parties—how they use it, and whom they share it with. As businesses become increasingly dependent on third parties in gathering this data within their digital ecosystem, a good first place to start is knowing all third parties who keep their websites and apps running, what information they collect, the lifespan of their data gathering technologies (eg, cookies), and what security measures these third parties have in place. This is because websites and apps are often primary touchpoints for prospects and customers. Unfortunately, no industry standards require knowing anything about third party code; not even PCI DSS requires it even though most payment pages are supported by third parties and are being attacked by cybercrime rings like Magecart. In the post-GDPR world, managing risks from third parties is not only a data compliance strategy but a revenue strategy.”