Following news that priority Health issued a notice about a third-party data breach that originated at the law firm Warner Norcross & Judd (WNJ) in October 2021 (https://healthitsecurity.com/news/120k-priority-health-members-impacted-by-third-party-data-breach), cyber security experts explain the risk of third party companies.
Cybersecurity risk from third parties has risen to a level that no organization can afford to neglect it. In this case, a large amount of Priority Health’s customer data was compromised, and they were only notified over half a year later. During this period, cybercriminals could have used the personal info to conduct fraud or identity theft or leverage the information to construct compelling social engineering campaigns targeting the victims directly. Worse, without being notified neither Priority Health nor their customers could take proactive action to protect themselves from these attacks.
To protect themselves, organizations must adopt a culture of security that incorporates approaches to managing third-party risk. It starts with awareness of the third parties with access to systems or data and taking steps to ensure they are following cybersecurity best practices, but this alone is no longer enough. Organizations must take ownership of their threat model and go above and beyond simply trusting their third-party’s attestations, even with things like SOC2 certification or recent penetration test reports. Businesses must be proactive about demanding visibility and security controls into their vendor’s systems, including tenant specific data encryption, access controls to require approving access to their data even from the vendor’s own staff, and visibility into audit logging information, especially with capabilities to stream those logs to your own security monitoring system to detect potential malicious activity whether the source be your own personnel, an external attacker, or even the vendor themselves.