No matter how many resources a company throws at its data security measures, it may still be wide open for a cyberattack.The reason is simple: You can’t protect what you do not control. Third-party vendors quickly are becoming the route of choice around firewalls.
So says Jonathan Dambrot, CEO and co-founder of Prevalent, a Warren-based IT security, compliance and third-party risk management service provider.
“Depending on who you talk to, between 40 to 80 percent of all data breaches are happening at a third-party vendors, because that is where most of the data is,” he said. “People are focusing on third-party data security risks because criminals are going after the data where it resides.”
Fixing the problem is not that easy.
Outsourcing work that is not part of a company’s core functions has been a longstanding trend for businesses. It has proven to be great for the bottom line, but it’s not so great when it comes to cybersecurity.
Dambrot points to data centers.
“Is your business thinking about building a data center?” he asked before answering. “No, you are outsourcing that.
“Are you thinking about building your own accounting software applications? No, you are outsourcing to Oracle or a similar vendor. For the most part, companies are outsourcing anything that isn’t core to the business and, in the process, sending all kinds of sensitive data — payroll, 401(k) — to service providers. In some cases, these providers may be weaker or softer targets for attack.”
A few years ago, the financial services industry was the most likely mark for third-party data security breaches. But, according to Dambrot, the massive Target database hack of 2013 changed the game.
“The Target breach actually was a third-party breach,” Dambrot said. “Then we saw vendor breaches with Dairy Queen and Home Depot. Now, we see this type of security attack against health care providers, manufacturers and pharmaceutical companies. We are seeing data breaches due to third parties in every industry.
“Nearly every organization outsources the processing of data.”
Dambrot and his co-founder, current Chief Technology Officer Norman W. Menz III, started Prevalent in 2004 as a general cybersecurity firm. In 2009, the company began building its vendor risk management platform.
Today, this third-party vendor risk service is the fastest-growing revenue component of Prevalent, which was recently one of seven New Jersey companies on the Cybersecurity 500, a list aimed at ranking the most innovative cybersecurity companies in the country.
Prevalent’s platform manages and monitors risks posed by third- and fourth-party vendors, monitors threats to determine what level of oversight is appropriate for individual clients and assesses vendor risk to help clients improve inefficient third-party vendor controls.
In January 2016, Prevalent launched its Legal Vendor Network using a collaborative assessment and threat intelligence platform it developed called Synapse. This network allows law firms to access and share security information about third-party vendors providing services to the legal field.
“Our goal was for this group of prestigious law firms to get together and standardize an approach to this type of risk,” Dambrot said. “We created a repository for vendor information and threat intelligence, which we provide, and make that available to the Legal Vendor Network members.”
Dambrot said he and his colleagues have identified other verticals, such as the mortgage industry, that would benefit from this collaborative approach.
According to Dambrot, processing mortgage applications requires several third parties to complete the process. Because of the information being processed, lenders have rigid compliance and face government fines if personal data is mishandled.
Recently, Prevalent launched a Synapses platform for the mortgage software giant Ellie Mae, which processes nearly a quarter of all U.S. residential mortgage applications.
“If you are a mortgage lender, more likely than not, you are using Ellie Mae’s platform to follow compliance and bring those third parties into the fold,” Dambrot said. “Ellie Mae uses our product to manage their third-party risk and also enable the assessment of all of their 500-plus (lender) partners and share that assessment with their customers.”
This type of collaboration and real-time threat information sharing is widely believed to be the most effective defense against cybercrime available today.
In December 2015, the both the House and Senate passed The Cybersecurity Act of 2015 to encourage companies to share with the government and each other technical details of hacking threats. This regulation reflects a growing acceptance of collaboration as a way to access data security threat intelligence and enforce vendor compliance.
According to Dambrot, cybersecurity regulations on third-party vendors will continue to tighten.
“Regulators have put controls in place over the last two and a half to three years, and there is a combination of reasons why third-party or downstream risk has become really important to people as they look at their cybersecurity,” Dambrot said. “Third-party vendor and business associate risk has really changed as vendor services have changed. Years ago, people weren’t talking about cloud usage as much as they are today, and so, regulators will continue to change the wording to match the way data is handled.”
E-mail to: [email protected]
On Twitter: @dariameoli