Vendor Vulnerabilities: Taking a Closer Look at 3rd Party IT Risks

September 4th, 2020
Vendor Vulnerabilities: Taking a Closer Look at 3rd Party IT  Risks

In May of 2020, the University of Southern Mississippi (USM) experienced firsthand the threat of third-party IT risks. Cybercriminals attempted a ransomware attack on the university through their technology partner Blackbaud. Quick thinking on behalf of the Blackbaud security team, along with law enforcement, was able to stop the attack before the criminals could successfully encrypt and hold ransom valuable university data. Although they were able to remove a small amount of data from the database, including some personal contact information, the criminals did not get away with any credit card numbers or social security information.

This attack shines a light on the continuous threat of cyberattacks and the potential devastation they can cause. With the increasing amount of information kept online and the growing number of transactions completed digitally, cybersecurity is a cornerstone concern for any organization.

In particular, businesses have begun to rely on various third-party vendors to help them maintain databases and manage online activities, as Blackbaud did for USM. These third-party vendors, despite their convenience, can pose an additional cybersecurity risk for businesses.

In just the first half of 2019, data breaches exposed 4.1 billion records. Additionally, the Ponemon Institute has found that over half of these data breaches came through third parties.

When these data security breaches come through outside vendors, the costs can easily become twice that of a normal breach. Organizations must factor in diminished reputation and trust, lost share value and lost business. The overall cost of failing to effectively vet and evaluate third-party vendors can be as high as $13 million.

Fortunately, businesses should also realize they are not at the mercy of cybercriminals. There are steps they can take to protect themselves and their customers, even when they work with outside vendors to improve their operations.


To effectively avoid data breaches and cyberattacks, and ensure that the business remains compliant with all applicable regulations, brands need to develop processes to manage the collection and sharing of the data they gather. To extend this protection to their interactions with outside vendors, they also need continuous monitoring and checks of the third parties that have access to any critical customer data.

To minimize the risk associated with third-party breaches, we have identified 6 main points that companies will want to consider to ensure they provide their customers with maximum security.

Point 1.Evaluate and monitor your suppliers’ security posture.

>Your vendor assessment should verify that your network has been thoroughly protected from third parties who have network access. Understand how they protect their systems and put outsiders on Vlans or separate networks. Access controls that empower you to limit vendors only to the resources needed to perform their tasks. If you uncover any security gaps, be sure to correct the problems immediately.

Point 2. Incorporate your risk management strategies into the contracts you sign with vendors.

Make sure that they understand your vigilance in cybersecurity as well as your expectations for them.

Point 3. Protect your business with cyber insurance.

If any type of breach or attack does occur, you need to protect what you have built with insurance to ensure that you have a path forward.

Point 4. Make sure that your cybersecurity plans incorporate the latest best practices.

This includes regularly rotating passwords, locking accounts after repeated unsuccessful attempts to access them, maintaining access to least privilege, by ensuring that people and vendors only have access to information they absolutely need, and maintaining careful path management.

Point 5. Pay careful attention to how information and data are shared with your vendor or supplier.

The National Institutes on Standards and Technology (NIST) recommend that annual reviews regarding this data sharing now be a requirement for quality cybersecurity.

Point 6. Consistently monitor internal access for any breaches that occur within an organization.

This will equip you to expedite remediation in the event of a compromise or breach, offering further protection for customers and your business.


To provide businesses with better cybersecurity, AGJ can provide organizations with the information and guidance they need to ensure they offer their clients the best possible protection.

  1. When you vet a new vendor to bring on board, we will provide an evaluation.
  2. We will regularly assess third parties and provide a second pair of eyes on their cyber posture.
  3. We will perform network risk and vulnerability assessments, including a thorough look at your systems.
  4. We will include third-party access evaluations to help you maintain tight control over who has access to your data and information.
  5. We will offer encryption management, providing a higher level of protection to secure and protect data and data transitions.
  6. Our professionals will provide penetration testing to identify any potential vulnerabilities in your security system.
  7. We will provide security awareness training for your staff, reducing internal vulnerabilities.
  8. We offer our clients cybersecurity insurance plans with LeapSecure Plus to help them protect their organization in the event of a cyberattack.


At AGJ, we are here to help you identify and mitigate your risk from third-party vendor breaches through vendor assessments and superior cybersecurity. We tailor our services to fit your needs, helping you feel confident in the cybersecurity you need to protect yourself and your customers in the modern digital world.
Reach out to us today for your assessment and let us give you an outside-in view of your digital system. We will help you uncover what a hacker might see and stop attacks before they even occur. Get started today.