08.20.20
Lauren Winchester

3 Reasons IT Vendors Are a Bigger Cyber Risk Than You Think

The following is an adapted excerpt from a new Corvus Ultimate Guide for brokers on how they and their clients should handle a breach situation that's due to a third-party. Click to download the full paper, free

Organizations are in the midst of a decade-old shift to deeper integration with managed service providers (MSPs), software-as-a-service tools (SaaS), and other cloud-based IT solutions. This means the security practices governing many key business functions are now outside of the IT team's direct control.

What Are the Top Three Reasons That It Vendors Pose Cybersecurity Risks to Clients?

In some cases, that may be a good thing, as the vendor may have more resources to put toward security than the organization had. But that trust shouldn't go too far. Having worked with thousands of brokers and policyholders, we’ve observed an unspoken assumption that these vendors, with their highly advanced products, are paragons of cybersecurity. That’s a misplaced assumption for three reasons. 

  1. The Bigger the Organization, the Harder It Is to Secure

    • One, the bigger and more complex an organization, generally the harder it is to keep safe. Vendors may have excellent security teams and practices, but face a sisyphean task given their scale if they are a hosting and managing IT services for hundreds or thousands of clients. 

  2. The Adversarial Factor of Certain Businesses

    • Second is the adversarial factor, something we explored in an earlier blog post. These companies may be at greater risk because criminals see them as a rich target: if they can infiltrate the vendor, they can potentially extend their attack to hundreds or thousands of customer organizations and amplify their leverage. 

  3. A False Sense of Security

    • Lastly, some providers have an air of invincibility about their exposure, likely for the same reason their customers instinctively trust them -- that they believe they're doing enough, technology-wise, to be secure, despite the challenges described above. A survey by Coveware shows a large disconnect between what MSPs believe to be the cost and consequences of an attack, and what they are in reality. This implies that they aren't taking the threat as seriously as they might if they had a more realistic idea of the risk.

Some relevant data has emerged that supports these assertions. Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, causing one writer to call MSPs a “worrying new frontier” for ransomware last year. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for hundreds of organizations, bringing the issue to the fore once again. 

What Your Clients Need to Know about Vendor Breach Response

Naturally, these worrying trends and real-world situations have resurfaced questions among brokers and their clients about what companies should do when their vendor is targeted. 

There's some overlap in how a breach situation is handled when it's in-house versus from an outside source, but there are enough differences that we wanted to explore the issue in-depth. Working with Dom Paluzzi, Co-Chair of the Data Privacy and Cybersecurity practice at the law firm McDonald Hopkins, we've put together the Ultimate Guide to Vendor Breach Response

This guide covers everything your clients should expect if their vendor is breached, from the first steps they must take to mitigate damage, to the questions they need to ask of the vendor to get the information they need. Download today!

[WHITEPAPER DOWNLOAD] The Ultimate Guide to Vendor Data Breach Response

[RELATED POST] Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives —  safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year. 

[RELATED POST] Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.