The following is an adapted excerpt from a new Corvus Ultimate Guide for brokers on how they and their clients should handle a breach situation that's due to a third-party. Click to download the full paper, free.
Organizations are in the midst of a decade-old shift to deeper integration with managed service providers (MSPs), software-as-a-service tools (SaaS), and other cloud-based IT solutions. This means the security practices governing many key business functions are now outside of the IT team's direct control.
What Are the Top Three Reasons That It Vendors Pose Cybersecurity Risks to Clients?
In some cases, that may be a good thing, as the vendor may have more resources to put toward security than the organization had. But that trust shouldn't go too far. Having worked with thousands of brokers and policyholders, we’ve observed an unspoken assumption that these vendors, with their highly advanced products, are paragons of cybersecurity. That’s a misplaced assumption for three reasons.
#1 The Bigger the Organization, the Harder It Is to Secure
One, the bigger and more complex an organization, generally the harder it is to keep safe. Vendors may have excellent security teams and practices, but face a sisyphean task given their scale if they are a hosting and managing IT services for hundreds or thousands of clients.
#2 The Adversarial Factor of Certain Businesses
Second is the adversarial factor, something we explored in an earlier blog post. These companies may be at greater risk because criminals see them as a rich target: if they can infiltrate the vendor, they can potentially extend their attack to hundreds or thousands of customer organizations and amplify their leverage.
#3 A False Sense of Security
Lastly, some providers have an air of invincibility about their exposure, likely for the same reason their customers instinctively trust them -- that they believe they're doing enough, technology-wise, to be secure, despite the challenges described above. A survey by Coveware shows a large disconnect between what MSPs believe to be the cost and consequences of an attack, and what they are in reality. This implies that they aren't taking the threat as seriously as they might if they had a more realistic idea of the risk.
Some relevant data has emerged that supports these assertions. Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, causing one writer to call MSPs a “worrying new frontier” for ransomware last year. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for hundreds of organizations, bringing the issue to the fore once again.
What Your Clients Need to Know about Vendor Breach Response
Naturally, these worrying trends and real-world situations have resurfaced questions among brokers and their clients about what companies should do when their vendor is targeted.
There's some overlap in how a breach situation is handled when it's in-house versus from an outside source, but there are enough differences that we wanted to explore the issue in-depth. Working with Dom Paluzzi, Co-Chair of the Data Privacy and Cybersecurity practice at the law firm McDonald Hopkins, we've put together the Ultimate Guide to Vendor Breach Response.
This guide covers everything your clients should expect if their vendor is breached, from the first steps they must take to mitigate damage, to the questions they need to ask of the vendor to get the information they need.