Third-party hacks expose businesses of all sizes to prospect of cyber attack

Sabre breach rattles wide web of interconnected networks, puts fresh focus on risk management

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The breach of Sabre Corp.’s hos­pi­tal­i­ty unit—which could impact tens of thou­sands of hos­pi­tal­i­ty businesses—is the lat­est exam­ple of the poten­tial rip­ple effects from a third-par­ty breach.

But the breach, which Sabre dis­closed to the U.S. Secu­ri­ties and Exchange Com­mis­sion on May 2, is not just a reminder about the per­va­sive­ness of this kind of risk.

Much of the focus in the dis­cus­sion of third-par­ty risk focus­es on poten­tial data theft. Less scru­ti­nized is the risk stem­ming from the inter­con­nec­tiv­i­ty of the net­works, says Brad Keller, senior direc­tor of third-par­ty strat­e­gy at Preva­lent, which pro­vides third-par­ty-risk management.

Relat­ed arti­cle: Why third-par­ty risks need full attention

Sabre report­ed “unau­tho­rized access to pay­ment infor­ma­tion con­tained in a sub­set of hotel reser­va­tions” processed through its hos­pi­tal­i­ty sys­tem. The reser­va­tion sys­tem is used by more than 32,000 prop­er­ties, from small hotels to major chains. It also inter­con­nects with more than 100 appli­ca­tions for prop­er­ty, rev­enue, con­tent or cus­tomer rela­tion­ship management.

Keller calls this the spi­der web effect—where one sys­tem ser­vices many clients, and the sep­a­rate sys­tems talk to one anoth­er. One breach can give hack­ers access to mul­ti­ple companies.

Brad Keller, Preva­lent senior direc­tor of third-par­ty strategy

It’s not just a ques­tion of the data on an indi­vid­ual system—it’s, ‘where else can I go into this spi­der web net­work once I get into one spot,’ ” he says.

In its quar­ter­ly Secu­ri­ties and Exchange Com­mis­sion fil­ing that dis­closed the breach, Sabre said it couldn’t rea­son­ably esti­mate at this time whether it will incur any lia­bil­i­ties due to the inci­dent. But one has to look only as far as Tar­get to see the mag­ni­tude of the dam­age that could arise from a third-par­ty breach.

Out­sourc­ing opens door to hackers

The risk is becom­ing more per­va­sive because of the grow­ing trend in out­sourc­ing, Keller says. As in any line of busi­ness, cyber crim­i­nals are look­ing to max­i­mize their return on invest­ment, which makes ven­dors an attrac­tive tar­get. In the case of some­one like Sabre, it isn’t about the com­pa­ny size but about the access it could provide.

They (cyber crim­i­nals) look for ven­dors that ser­vice a lot of com­pa­nies but may not be that large and may not have the kinds of resources nec­es­sary to keep every­thing in check,” Keller says.

The spi­der web effect also com­pounds the prob­lem because of the many lay­ers of ven­dors in the sup­ply chain, or what some in the indus­try refer to as Nth par­ty because it’s unknown how many lay­ers deep the out­sourc­ing is.

When you start try­ing to count the lay­ers in the spi­der web, you don’t know how far it goes, and the fur­ther it goes, the knowl­edge drops for the (orig­i­nal) com­pa­ny,” Keller says.

Risk not on radar enough

A sur­vey of risk in the third-par­ty ecosys­tem by the Ponemon Insti­tute found that most com­pa­nies don’t have an inven­to­ry of all their third par­ties. At the same time, respon­dents believed that more than a third of their providers shared their sen­si­tive infor­ma­tion with Nth-par­ty ven­dors. Only 20 per­cent knew how their data was being accessed and used by those ven­dors they didn’t have direct rela­tion­ships with.

Despite the grow­ing aware­ness about third-par­ty risk, it’s still not on the radar of many busi­ness­es. Deloitte’s 2016 sur­vey on glob­al out­sourc­ing found that cyber risks affect­ed out­sourc­ing deci­sions only for 23 per­cent of respon­dents. In a per­haps more encour­ag­ing sign, half said they were mod­i­fy­ing their out­sourc­ing process­es to focus on secu­ri­ty risks and protocols.

Keller is see­ing a shift in how larg­er com­pa­nies are address­ing this risk. Not only do they have secu­ri­ty assess­ments for their own ven­dors, they also are requir­ing these ven­dors, in turn, to have robust risk-man­age­ment pro­grams for their providers.

Not only do (ven­dors) need to have good pro­grams in place and respond to assess­ments, but they need to have their own pro­gram so they’re man­ag­ing, effec­tive­ly, the risk of any work that they’re outsourcing—and can demon­strate that to their client,” he says.

Reg­u­la­tors, too, are pay­ing more atten­tion. In health care, HIPAA was extend­ed to busi­ness asso­ciates and the Depart­ment of Health and Human Ser­vices began putting more empha­sis on busi­ness asso­ciate agree­ments. In bank­ing, the state of New York turned the heat up a notch with its new cyber­se­cu­ri­ty rules, requir­ing writ­ten due dili­gence and war­ranties relat­ed to third-par­ty providers.

Let­ting insur­ance cov­er risk

With the grow­ing trend of cyber­se­cu­ri­ty insur­ance, more orga­ni­za­tions will be look­ing at shift­ing some of their third-par­ty risk. Sabre is a good exam­ple. In its SEC fil­ing, the com­pa­ny stat­ed that it has insur­ance that cov­ers “cer­tain aspects” of the risk, and it was work­ing with its insur­ance car­ri­ers on this matter.

But Keller, who was once an insur­ance defense lawyer, is skep­ti­cal that insur­ance is the answer. He says the ven­dor busi­ness part­ner­ships are about rev­enue preservation—ensuring the busi­ness is not los­ing a rev­enue stream because of a breach. And, he adds, there’s one oth­er type of unre­cov­er­able loss.

Tar­get was a good exam­ple,” he says. “You can recov­er a lot of costs, but how do you recov­er the dam­age to your reputation?”

More sto­ries relat­ed to third-par­ty risk:
SMBs need to bulk up secu­ri­ty to pro­tect against third-par­ty risk
Despite record breach­es, secure third-par­ty access still not an IT priority
Third-par­ty ven­dors are the weak links in cybersecurity

Posted in Cyber insurance, Data breaches, Featured Story