3 Reasons IT Vendors Are a Bigger Cyber Risk Than You Think
The following is an adapted excerpt from a new Corvus Ultimate Guide for brokers on how they and their clients should handle a breach situation that's due to a third-party. Click to download the full paper, free.
Organizations are in the midst of a decade-old shift to deeper integration with managed service providers (MSPs), software-as-a-service tools (SaaS), and other cloud-based IT solutions. This means the security practices governing many key business functions are now outside of the IT team's direct control.
What Are the Top Three Reasons That It Vendors Pose Cybersecurity Risks to Clients?
In some cases, that may be a good thing, as the vendor may have more resources to put toward security than the organization had. But that trust shouldn't go too far. Having worked with thousands of brokers and policyholders, we’ve observed an unspoken assumption that these vendors, with their highly advanced products, are paragons of cybersecurity. That’s a misplaced assumption for three reasons.
The Bigger the Organization, the Harder It Is to Secure
One, the bigger and more complex an organization, generally the harder it is to keep safe. Vendors may have excellent security teams and practices, but face a sisyphean task given their scale if they are a hosting and managing IT services for hundreds or thousands of clients.
The Adversarial Factor of Certain Businesses
Second is the adversarial factor, something we explored in an earlier blog post. These companies may be at greater risk because criminals see them as a rich target: if they can infiltrate the vendor, they can potentially extend their attack to hundreds or thousands of customer organizations and amplify their leverage.
A False Sense of Security
Lastly, some providers have an air of invincibility about their exposure, likely for the same reason their customers instinctively trust them -- that they believe they're doing enough, technology-wise, to be secure, despite the challenges described above. A survey by Coveware shows a large disconnect between what MSPs believe to be the cost and consequences of an attack, and what they are in reality. This implies that they aren't taking the threat as seriously as they might if they had a more realistic idea of the risk.
Some relevant data has emerged that supports these assertions. Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, causing one writer to call MSPs a “worrying new frontier” for ransomware last year. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for hundreds of organizations, bringing the issue to the fore once again.
What Your Clients Need to Know about Vendor Breach Response
Naturally, these worrying trends and real-world situations have resurfaced questions among brokers and their clients about what companies should do when their vendor is targeted.
There's some overlap in how a breach situation is handled when it's in-house versus from an outside source, but there are enough differences that we wanted to explore the issue in-depth. Working with Dom Paluzzi, Co-Chair of the Data Privacy and Cybersecurity practice at the law firm McDonald Hopkins, we've put together the Ultimate Guide to Vendor Breach Response.
This guide covers everything your clients should expect if their vendor is breached, from the first steps they must take to mitigate damage, to the questions they need to ask of the vendor to get the information they need. Download today!
On January 5th, we hosted a webinar with Lynn Sessions and Paul Karlsgodt of BakerHostetler to discuss pixel tracking technology, the culprit behind the latest ad tech litigation and regulatory trend. Below is an exploration of prior and current website tracking litigation, and how it may impact non-regulated industries.
At its best, insurance helps businesses manage and mitigate the risks they worry about most, and helps make everyone safer along the way. The data insurers have on effective interventions — and the lever of pricing to guide policyholders’ actions — are a powerful combination. Over time, the insurance industry has helped make buildings, work sites, and transportation safer – the key uncertainties people cared about.