Few can forget the theft of 110 million customer credit cards from Target in December 2013. But not as many know how hackers gained access to such a vast amount of sensitive information. How'd they do it? By compromising the security of a third-party vendor, a Target branch store's HVAC provider.
Turns out a phishing email duped an employee at the HVAC company, Fazio Mechanical, into installing a piece of malware on their computer. With inadequate anti-malware software in place, the program slipped by undetected and then handed over login credentials to the hackers. With the keys to the castle in hand, the hackers ran wild and stole everything they could.
This massive heist is still being sorted out in the courts, but it serves as a great example of how security is only as strong as the weakest link. While companies pay enormous sums to lock down their most sensitive data (to the tune of $77 billion globally this year, as forecasted by Gartner), how much are they still leaving exposed via third parties?
While the cost of a serious data breach is hard to calculate, it is generally accepted as high. One report estimated it at $400 million for 70 organizations in various industries globally. The question is what the enterprise can do to protect itself from third-party vendor security breaches.
Treasury Department Gets into the Act
Responsible for protecting customers' money, financial institutions are dealing with the problem of cybercrime. As this threat has grown to include every industry, their investigations into preventing third-party vendor data breaches can provide some insight for prevention.
For example, the Office of the Comptroller of the Currency (OCC) compiled a list of "gotchas" that point to several risk profiles, none of which are exclusive to banks:
- Failure to properly assess, understand, and document the risk and cost of outsourcing services.
- Failure to perform proper due diligence and ongoing monitoring.
- Entering into contracts without a proper assessment of the third-party's risk controls.
- Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
- Engaging in third-party relationships without a formal contract, or with inadequate contracts.
Obviously, these recommendations can apply to all industries.
Questions to Ask
Prevention is all about planning. Before entering a business relationship with a vendor (or if you're already thinking of filing for divorce), a company concerned about third-party risk should ask the following questions:
- Why are these services being outsourced in the first place?
- Is there any possibility the third party will subcontract?
- Do they have data centers based overseas?
- What data is being shared?
- What is the plan in the event of a third-party failure or breach?
- How often are vendors assessed?
These questions should be answered with solid documentation, including a map of third-party relationships, performance reports, audits, reviews, and a comprehensive due diligence report. If a company is serious about security, what was previously agreed upon with verbal promises has to be supplanted with a paper trail.
Trust is necessary in every relationship, but too much blind trust, while expedient, can potentially open your company to breaches and legal liability. As we've seen with the Target case, sorting out a large data breach is a long and costly process.
Re-Evaluating Vendor Assessments
No two vendor relationships are alike, and not all vendors should be treated the same or painted with the same security assessment brush. As it is, traditional vendor assessments fall short in two areas:
- Rating reports largely produce an arbitrary score which fails to encompass the bigger picture. Important questions to ask instead when dealing with a vendor include, "What is the nature of this relationship?" and "What is our potential exposure in the event of an incident?"
- Regular reviews are typically performed on an annual basis which hardly bring urgency to the issue. In potentially risky relationships, continuous monitoring done in real-time may be necessary.
Unfortunately, you can't leave house keys under the doormat for the plumber. Businesses put themselves at serious risk if they expect their third parties to do the right thing, or if they assume their vendors are infosec-savvy. Perhaps "Trust but verify" should be replaced with, "Confirm partners take security as seriously as you do."
The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.
This article is published as part of the IDG Contributor Network. Want to Join?