One of your vendors will suffer a data breach. It is a when, not an if. They may have already, but not yet know it. Because marketing handles so much customer data, it’s essential to know what to do when a breach happens.
There will be a breach
in 2023, 61% of companies reported a third-party breach, according to a study by Prevalent, a third-party risk management provider. That’s an increase of nearly 50% in the previous 12 months and three times as many as in 2021.
Furthermore, these breaches are expensive and slow to be discovered. The average cost of a data breach this year is $4.88 million, the highest average on record, according to the 2024 IBM/Ponemon Cost of a Data Breach Report. The average time from a breach happening to its being discovered is 194 days, the report found. Also, the average time from discovery to the breach being contained is 292 days.
Here are just a few of the major breaches so far this year:
- Russia used an attack on Microsoft’s email systems to steal data and personal information from the US government.
- Personal information for approximately 6.5 million Bank of America customers was stolen through the systems of Infosys McCamish.
- Nearly a terabyte of data was stolen from Disney via Slack.
“One security problem with SaaS is implicit trust,” said Paul Shread, international editor for The Cyber News from threat intelligence vendor Cyble. “You’ve invited the vendor deep into your environment.”
What to do before it happens
Any enterprise of significant size already has an IT security unit with policies and procedures for vetting vendors. These involve checking vendors’ security practices, understanding how they handle their data and ensuring they follow your security standards and data handling requirements.
Dig deeper: AI and security are the focus of latest Salesforce acquisitions
If you are a smaller business, that IT security “unit” should be one person in particular in your IT department. If that is beyond the scope of expertise of your staff, then you probably should be outsourcing your IT function.
“When you’re doing the onboarding of a vendor, look at certain standardization of compliance regulations and setting that up in the right way,” said James Alliband, head of marketing for Risk Ledger, a supply-chain risk-management solution provider. “Ask them what best practice is to ensure the software is running in a secure, compliant fashion.”
Other steps include:
- Using multi-factor authentication.
- Keeping an accurate inventory of vendors.
- Determining if you need cyber insurance to cover the cost of financial damages.
- Only collect data you absolutely need, and do not keep it longer than necessary.
- Limiting the number of staff with access to those who absolutely need it.
- Encrypting data.
“The best you can do is to maintain good security practices to limit damage: role-based access control, device control, logging, monitoring, MFA, segmentation, encryption, configuration,” said Shread.
Finally, if you don’t already have an incident response plan, get one. The Federal Trade Commission has several useful resources for this.
The first thing to do
In most cases, the vendor will notify you by email. You must act as soon as it arrives.
“Inform your security team or the important person managing the software,” said Alliband. “Let them know what’s happened, what the email is, forward the email to them.”
The longer you wait, the bigger the problem will get. To that end, be sure you have the contact information available at all times.
Alliband said do not assume the security team knows what data is in that piece of software or what it connects to. So, the second thing is to get that information (if you don’t already have it) and pass it along.
“Let them know what the solution is, what data is in there, if there are certain things that are confidential in there,” he said. “Give them a full scope of what that is and rapidly educate them about that and who has access to the data internally as well.”
Establish clear lines of communication with the vendor
One person needs to be in charge of communicating with the vendor, otherwise, confusion will reign. That person may be from Infosec, but they may want it to be someone from your team who knows the solution well.
The first thing to do is confirm the vendor is protecting data. How to do this should be in your incident response plan. Follow up with them regularly about this.
Review the contract
There are times in business when a lawyer is called for. This is absolutely one of them. Go over the contract with a legal expert. They can guide you through the legal parts, and you can help them with the technical parts. The contract should have a data breach notification requirement and possibly what remediation is required of the vendor.
Data breaches put a lot of stress on the vendor-client relationship. It’s essential that you can ensure the vendor is meeting their obligations.
Set clear expectations for next steps
When a data breach occurs, it’s crucial to establish a clear path forward. Here are things to consider.
Deep audit testing
This is essential for:
- Identifying the root cause of the breach.
- Assessing the full extent of the damage.
- Developing strategies to prevent future incidents.
Vendor cooperation
Your vendor’s willingness to work with you will determine where the relationship goes. Their cooperation should include:
- Providing full access to relevant systems and data.
- Allocating necessary resources for the audit.
- Sharing all pertinent information transparently.
Being reluctant or resistant to these is a huge red flag. On the other hand, a commitment to cooperation and transparency means you have a good partnership.
Dig deeper: U.S. state data privacy laws: What you need to know
Notify customers
The worst-case scenario is your customers find out about this breach from the press before they hear about it from you. In the end, all companies sell the same product: trust. Your customers must be informed as soon as possible, with as much information as possible. Do not wait until you have all the information about remediation. Tell them what you know and what steps you are planning to take. When you have substantial information, pass it along.
Stay in touch even if there are no developments, so they know you haven’t forgotten them.
After the breach
Even though the breach occurred externally, there are several things to do internally to deal with it.
- Determine the size of the breach: You need to know how many customers were affected and how many of your systems were compromised.
- Notify the correct government entities: Depending on your industry and location, you may need to contact law enforcement, regulators or the State Attorney General.
- Find the root cause: The breach has identified a weakness in your system. Find it and fix it.
- Review security processes: Solitaire teaches us that it is possible to do everything right and still lose. Take the time to review processes and find out if you did everything right.
- Document the incident: For legal reasons and internal review, it’s important to document as much as possible. Do this in real time, including electronic and verbal communication with the vendors, customers and government institutions. This will help in the security review process.
“The really important thing is absolutely protecting customer relationships, but don’t cause unnecessary panic either because that can be really time-consuming for customers,” said Alliband. “So many data breaches happen that the customers never hear about because they haven’t actually been affected by the breach itself.”