VPN Mentor’s research team discovered a breached database at Cloud backup provider SOS Online Backup that contained more than 135m records. While this information apparently did not fall into malevolent hands, the incident highlights cybersecurity risks posed by the use of third-party service providers.
This is yet another example of how corporate networks of companies large and small are only as secure as their weakest link. Deficient cybersecurity at third-party service providers can cause significant financial damage for clients—the companies that have outsourced parts of their critical digital infrastructure. SOS Online Backup has marketed itself as “the world’s most secure online backup” cloud service. As highlighted in Cyberhedge analysis, external vendors are increasingly targeted by hackers as breach vectors into companies, both due to the huge amount of data they can access and also because vendors are seen to be increasingly likely to pay ransoms. As cloud storage has become the norm for companies, it represents a particularly valuable area for hackers to target.
This presents important challenges for companies’ cyber governance. It is not enough for companies to audit their internal systems. External systems must be taken into account as well. And, as covered in yesterday’s Daily, the lack of “security by design” in so many products used by companies today—or in products introduced by employees for personal use—is a huge and growing structural problem that companies have to contend with when making decisions about the security of digital assets. Though the operational expertise and functions that bring business benefit to companies can be outsourced, the risk cannot be. Ultimately, if a key third party is compromised, it can increase the likelihood of a financially damaging breach event that the client, the household names of the corporate world, must own.