The Cybersecurity Risks of Outsourcing to Third Parties

Whether the goal is to reduce costs, simplify operations, or enhance customer service, outsourcing can do wonders for a company. Unfortunately, it also comes with a degree of risk. Problems with a third-party service can cause extreme damage to an organization’s reputation. This is particularly true when a data breach is involved.

Data breach dangers and cybersecurity risks of outsourcing to third Party service providers.

The Dangers of Outsourcing

When outsourcing services to another company, the primary organization will lose some control. This is the nature of outsourcing, but it becomes a problem when the third party is later found to be unreliable in some way. Even if the third-party organization is reputable, mistakes and failures can still occur.

Considering that outsourcing is so popular, it’s possible that the third party an organization is using is also outsourcing. If this is the case, it’s possible that data is not only accessible to the third party but also by other parties they outsource to. This creates an even greater degree of vulnerability.

The Wipro Case

When it comes to the dangers of data breaches, the 2019 hacking of Indian IT outsourcing and consulting agency Wipro is a good example.

Wipro provides IT services to international organizations across six continents. These include Fortune 500 companies, government organizations, banks, and healthcare facilities. Up until March of 2019, the state of Nebraska had a contract with Wipro and was planning on using them to provide upgrades to the state’s Medicaid enrollment system. State leaders cancelled the contract and sent out a cease and desist letter after receiving word that hackers had gained access to Wipro computer systems.

During the attack, the hackers were able to install remote access tools and get into the networks of some of Wipro’s clients. Investigations later revealed that the attack was most likely carried out by a group that uses phishing tactics and gift-card fraud to go after large corporations. It’s believed that the same group may have carried out attacks in the past.

The Blackbaud Incident

Another example of outsourcing dangers is the attack on Blackbaud, which took place in February of 2020. Blackbaud is a cloud computing provider that serves a variety of nonprofit and charitable organizations, colleges, and medical institutions. Although the attack happened in February, no one at the company was aware of the problem until mid-May, when a suspicious login prompted an investigation.

The hackers were able to gain access to data stored by Blackbaud. The company insists that the cybersecurity team was able to stop the attack and secure the network before the hackers were able to access sensitive client data. However, independent investigations from some of Blackbaud’s clients, such as Middlebury College in the United States, found that although no social security or credit card information was hacked, other sensitive data may have been.

This incident caused great concern for the company’s clients. Blackbaud’s representatives have refused to share details about the exact data the hackers accessed. There were hundreds of reports filed regarding the incident. Experts are not sure whether the company can guarantee that the accessed data is now safe. Blackbaud has a team monitoring the dark web for signs of the sensitive data and hasn’t yet come across anything, but the breach has still tarnished the company’s reputation. A class action lawsuit was filed by the United States District Court of South Carolina.

Managing the Risks of Outsourcing

1. Negotiate the Right Contract

Organizations can do a lot to reduce the risks. Setting up contractual agreement that allows for the sharing of less data is a good start. A third party doesn’t necessarily need to access an organization’s entire database to do their job. Still, many of these vendors are often given full access to an organization’s servers and administrative processes. Taking the time to negotiate a great contract will go a long way.

2. Create a Plan for Risk Management

Cybersecurity will be an ongoing issue, so it’s important for organizations to have a plan in place. The plan must cover what data the third-party group can access, how to track that access, and what will happen if a breach does take place.

3. Outsource Wisely

Vetting third-party groups is a smart move. The vetting needs to occur before signing contracts and continue as an ongoing strategy. Carrying out independent audits of the third-party organization’s activity will help determine if their practices are safe.

4. Make Sure the Third-party Representatives Have Unique Accounts

Some organizations give their third-party vendor one single account that all representatives can access. While this might seem simple and efficient, it places the organization’s data at great risk. A shared account can make it difficult to discover the root cause of cyber security issues. Having separate accounts will also increase security by preventing former workers from accessing the account in the event they leave the company.

5. Know When to Walk Away

It takes a lot of effort to set everything up to work with a third-party group, but that doesn’t mean walking away isn’t sometimes the best option. If a third-party data breach has occurred, the management team from the primary organization will need to determine whether moving forward together is the right move.

It’s possible that the third party wasn’t responsible for the breach. It’s also likely that after a breach, an outsourcing organization will increase their cybersecurity to prevent the same thing from happening again. Switching to a different vendor won’t necessarily solve the issue. Nothing guarantees that the new organization won’t also have issues with security. Leaders will need to examine all factors before making a decision.

That said, if a breach occurred that caused damage to the reputation of the primary organization, cutting ties will likely be necessary.

Actions to Take Post Data Breach

A study by IBM found that it takes an average of 197 days for an organization to recognize that a data breach has occurred. It can take another 69 days to contain the problem and regain security. This means that a quick response from the organization’s security team is imperative. The faster an organization can contain the breach, the more likely they are to stop disastrous results and save their reputation.

For more information on cybersecurity and how to protect your organization from third-party data breaches, please contact us.

Learn About Identity and Access Management Certification Path