Third-Party Pitfalls: Securing Private Data in Government Operations

Government organizations rely on third-party contractors to deliver crucial services such as IT support and specialized consultancy. These entities are driven by the necessity for expertise, cost reduction, and the pursuit of operational efficiency. However, this trend introduces significant cybersecurity risks and challenges in maintaining operational control. Integrating external service providers into critical public functions inherently expands the attack surface, giving cyber criminals more entry points to exploit.

This expansion is part of the reason the Verizon 2023 Data Breach Investigations Report states that cybersecurity threats in the public sector are on an upward trajectory. This trend correlates directly with an overall increase in global cybercrime.

Services such as Ransomware as a Service (RaaS) have lowered the barrier to entry into cybercrime, allowing even those with minimal technical expertise to launch ransomware attacks. This commoditization of cyber-attack tools means that the vulnerabilities introduced by third-party contractors can be more readily and effectively exploited, posing a significant threat to public sector data security.

3 Reasons Third-Party Operations Remain a Risk

1. Lack of Control

One of the primary challenges for the public sector is the lack of direct control over third-party operations. Government agencies often cannot enforce stringent security measures or respond to threats with the agility required within their systems. This limitation not only hampers prompt and effective threat mitigation but also complicates the enforcement of consistent security policies.

2. Vendor Vulnerabilities

Government bodies also face significant risks from their dependency on vendors’ security posture. If a third-party contractor has subpar cybersecurity practices, it directly jeopardizes the security of the sensitive data they handle for government agencies. The level of security risk becomes contingent on the contractor’s ability to defend against cyber threats, which may vary widely across different vendors.

3. Misaligned Responses

Third-party vendors might have different levels of preparedness and protocols for handling security incidents, leading to a fragmented and often ineffective collective response to breaches. This inconsistency can result in delays and miscommunications, exacerbating the impact of security incidents.

A pertinent example of these risks is the breach involving Leidos, a major contractor for the U.S. government. In this incident, internal documents were compromised due to vulnerabilities in a third-party system operated by Diligent Corp. The breach highlighted how reliance on third-party services could lead to significant security lapses, affecting not just the direct contractor but also the government agencies and the sensitive data they handle.

Compliant Does Not Mean Secure

Contractors must meet stringent compliance rules to provide services to government entities. Merely meeting compliance standards is often misconstrued as achieving security. However, compliance should be viewed as a starting point, not the pinnacle of security efforts. Government contractors, in particular, must recognize compliance limitations to adequately protect private information and systems.

Compliance standards provide a fundamental baseline of security measures that all contractors are expected to meet. However, these standards should not be seen as the ceiling of what can be achieved in cybersecurity. Instead, they serve as the minimum requirements. To effectively counteract emerging and sophisticated cyber threats, contractors must adopt additional, more advanced security measures. This proactive approach ensures that security keeps pace with the continuous advancements in cyber attack methodologies.

The Main Issues with Modern Compliance

The nature of compliance standards is inherently static, often lagging behind the rapidly evolving landscape of cyber threats. As cyber threats become more dynamic, merely adhering to these static standards can expose organizations to new cyber-attacks. This gap is particularly dangerous as new vulnerabilities and attack vectors emerge, which the existing compliance frameworks may not account for.

1. The Checklist Mentality

A significant risk associated with a compliance-first approach is the development of a checklist mentality. In this scenario, contractors might focus solely on ticking off compliance requirements without fostering a comprehensive, proactive security culture. This mindset can lead to a superficial application of security measures, where the deeper, more systemic risks are overlooked. Such an approach does not cultivate the continuous vigilance required to effectively detect and respond to evolving cyber threats.

2. Lack of Company-Specific Control

General compliance standards are also designed to apply broadly and may not address the specific operational or environmental risks unique to each contractor. This one-size-fits-all approach can be insufficient for contractors handling highly sensitive or classified information. Even though the standards for this type of data are higher, they are still generic for that service tier. Without customized security measures, there is no way to ensure compliance mandates fully match the organization’s operational needs.

Understanding the Leidos Breach

Leidos and several other Diligent clients suffered a breach due to significant vulnerabilities in tools used to help manage board governance and other strategic management processes. Throughout 2022, the Diligent system experienced multiple security lapses, suggesting potential systemic security practices. These breaches were not isolated incidents but occurred sporadically over the year, complicating detection.

Diligent Corp. responded to these breaches by notifying affected customers, such as Leidos, and took immediate corrective actions by November 2022. However, the public and potentially some affected parties only became aware of the extent of the problem when Bloomberg News reported the leaked documents in mid-2024. This delay in public disclosure underscores weaknesses in real-time threat detection and incident reporting, raising concerns about the effectiveness of existing security and monitoring systems within third-party-operated services.

How to Mitigate Third-Party Risk

Modern data security solutions, such as Data Detection and Response (DDR), can minimize the risk for government entities using third-party contractors. Tackling threats from both sides of the risk surface – that is, malware and privacy – DDR focuses on preemptive protection. 

DDR neutralizes threats by sanitizing incoming files in real-time, ensuring that only clean, safe content reaches internal networks. This method is crucial when handling data exchanged with, or managed by, third parties, as it reduces the potential for malicious content to enter via compromised or insecure external channels. By stripping out known and unknown threats before they can cause harm, advanced DDR systems provide a robust layer of protection that complements traditional security measures, addressing the direct risks associated with data breaches and regulatory non-compliance.

Additionally, advanced DDR solutions incorporate privacy and compliance features that are particularly beneficial for government operations. The technology ensures that private data, whether personally identifiable information (PII), protected health information (PHI), payment card information (PCI), or classified government data, is masked in real-time to protect against unauthorized access and devastating data breaches.

This dual approach—securing data against malware and preserving its confidentiality and integrity—helps government agencies maintain stringent compliance with laws like GDPR, HIPAA, and others. Such capabilities are essential when collaborating with third-party vendors, minimizing the risk of data exposure while maintaining compliance with legal and regulatory standards.

Votiro Helps Protect the Public Sector

If you’re attending GovWare or are a public sector entity concerned about the security risks third-party contractors can pose, don’t miss the opportunity to visit the Votiro booth – M15 – and discover how our Zero Trust Data Detection and Response can safeguard your operations.

You can also schedule a demo to see how our proactive data security technologies protect private data from emerging threats and ensure compliance with the strictest standards.