Third Party Risk Management

Dealing with Breach Fatigue in the 21st Century

Third party breaches are going to happen. How do you protect your institution?

Sometimes you could have mitigated them, whether it be internal policies and procedures and practices or having the third party do the same. Sometimes your mitigation could be to stop doing business with the third party.

Breach fatigue is a lot like Ground Hog Day: it just keeps happening, with the same result and you cannot get out of it. Some have estimated that it took Phil Conners 12,395 days – just under 34 years – to learn everything he really needed to know to escape. Is that you?

Capital One could have made the configurations documented by AWS to make their environment more secure, and they did not. Yet, how much business have they lost? Equifax was hacked. How much business have they lost? And how much have either of these events hurt your institution? Have steps been taken to mitigate the risk? Or will that happen sometime in the next 34 years?

Let’s try to stop this now before the fatigue desensitizes us to the point where we no longer care. At least Phil continued to care enough to want to do what he needed to do to make it stop. So I will be Ned Ryerson and, while trying not to step into the pothole of cold water, will give you a good strategy to stop hearing “I Got You(r Data), Babe!” every morning.

You know that the risk exists, and you know that it is not possible to fully transfer the risk through any number of strategies, including discontinuing business with the vendor. So you need to prepare a plan that handles the situation. A breach will (has!) happen(ed) to one (two!) of these vendors, and it will happen again. You need to have a mitigation strategy ready to go when the next breach happens to one of these types of vendors.

Your mitigation strategy should include:

  • Creating and testing a communication plan that includes details of what you are going to communicate to who and when, from getting information to and from the vendor to getting information to and from your personnel to getting information to and from your customer, depositors, and clients.
  • Having an excellent cybersecurity program is excellent, including software, policies, procedures, and education.
  • Updating security software as often as appropriate.
  • Providing and requiring employees to have updated security training every year, with the security training more than the rote memorization of a boring security speech. Take steps to make the security training interesting and engaging. Proposing a hero’s journey by couching it as stopping the criminal at the gates may help with better engagement.
  • Implementing transaction monitoring services to look for outliers. This is fairly common when looking for fraud and should be in place already.
  • Employing identity theft/fraud monitoring services for effected customers, depositors, and clients with provider contracts already signed and money actually set aside to fund the service.
  • Implementing two factor authentication that supports password reset, allowing your locked out customers to request a password change and for you to be absolutely sure it is them.
  • Changing all passwords, thus requiring password reset.
  • Creating a plan that will determine what was stolen – how much least, more, and most sensitive information was stolen – and a plan to tell your customers, depositors, and clients.
  • Changing account numbers and issue new credit and debit cards.
  • Implementing anti-phishing policies and procedures so that phishing does not make it in the door and that your employees are knowledgeable about what it looks like.
  • Configuring your firewall now! Better yet, read the manual telling you how to configure your firewall now, and then do it.
  • Implementing data segmentation and the principle of least privilege.
  • Implementing systems that monitor and control access in real time, enable analytics that provide insight on user behavior, and use risk-driven mitigations that are endpoint independent.

Some of these are tasks you can do now to actually mitigate, while others are preparation for the event that will happen. All of these are helpful when looking to put a plan in place that protects and informs your customers when something happens, and it will happen.

Again, communicating what is in place and what will happened before it happens, and then communicating what is happening while it is being executed along with what the client needs to do and how they are being protected as the event unfolds will help. Transparency with your customers, depositors, and clients with meaningful information is awesome. A little protection, a little transparency, coupled with good pre-, during, and post-event prevention and mitigation techniques will go a long way to both actually protecting customer data before the event and doing the most for you and your customers to protect that data and recover from the event after the event.