Exactis Data Leak Illustrates the Enormity of an Organization’s Potential Third-Party Cyber Risk
With hundreds and thousands of complex, highly interdependent, Internet-connected systems, it’s no wonder that an enterprise’s potential third-party cyber risk has multiplied in recent years.
Even if you think you’ve identified and patched all the vulnerabilities in your enterprise systems, you likely haven’t even thought about all the holes in your SaaS apps AND the vulnerabilities from the vendors they use. For example, the recent data leak at Exactis exposed the records of 340 million people online. “For some reason, Exactis failed to place the database behind a firewall, leaving it open for anyone to access.”1 Now imagine for a moment that you’ve partnered with Exactis; if their database is not secured, hackers have a potential way to break into your organization. It’s like having a bad dinner guest who leaves the back door wide open at your house. Are you monitoring for situations like that? Because if you are not, the worst can happen.
Case in point: last week Ticketmaster UK “had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said,”2 blaming the loss on a third-party vendor in their supply chain.
We talked about the third-party data breach of 7.ai earlier this year on our blog and it bears repeating: “Once again, a third-party vendor may have exposed sensitive credit card information of hundreds of thousands of Delta Air Lines and Sears customers. The attack shows the vulnerability to reputation and risk from attacks on third-party vendors. The company, 7.ai, a customer services company, says that it was a malware attack in late 2017 that made the loss possible.”
So, in cases like these, if you are not monitoring your vendors, who is? Nobody, that’s who. That’s why it’s your job to ensure you understand, measure, and control your organization’s third-party cyber risk. Otherwise, it could be your company’s name in the news.
RiskRecon Can Help
RiskRecon’s continuous monitoring solution delivers risk-prioritized action plans that enable precise, efficient elimination of companies’ most critical third-party security gaps. Its data-driven SaaS service relies on passive, direct analysis of Internet-facing systems to quantify risks and provide straightforward evidence necessary for remediation. Rather than producing a laundry list of issues, RiskRecon’s custom analytics quantify true risk by determining each system’s issue severity and asset value. Only RiskRecon enables customers to build a scalable, third-party risk reduction program that compresses remediation cycle time, improves analyst productivity, and ensures constructive vendor collaboration.
Want to learn more? Please request a demo.
1 Michael Kan, “Marketing Firm Accidentally Exposes 340 Million Records Online,” PCMag, June 27, 2018. https://www.pcmag.com/news/362143/marketing-firm-accidentally-exposes-340-million-records-onli
2 Kevin Townsend, “Ticketmaster Blames Third Party Over Data Breach,” SecurityWeek, June 28, 2018. https://www.securityweek.com/ticketmaster-blames-third-party-over-data-breach