Few can forget the theft of 110 million customer credit cards from Target in December 2013. But not as many know how hackers gained access to such a vast amount of sensitive information. How’d they do it? By compromising the security of a third-party vendor, a Target branch store’s HVAC provider.
Turns out a phishing email duped an employee at the HVAC company, Fazio Mechanical, into installing a piece of malware on their computer. With inadequate anti-malware software in place, the program slipped by undetected and then handed over login credentials to the hackers. With the keys to the castle in hand, the hackers ran wild and stole everything they could.
This massive heist is still being sorted out in the courts, but it serves as a great example of how security is only as strong as the weakest link. While companies pay enormous sums to lock down their most sensitive data (to the tune of $77 billion globally this year, as forecasted by Gartner), how much are they still leaving exposed via third parties?
While the cost of a serious data breach is hard to calculate, it is generally accepted as high. One report estimated it at $400 million for 70 organizations in various industries globally. The question is what the enterprise can do to protect itself from third-party vendor security breaches.
Responsible for protecting customers’ money, financial institutions are dealing with the problem of cybercrime. As this threat has grown to include every industry, their investigations into preventing third-party vendor data breaches can provide some insight for prevention.
For example, the Office of the Comptroller of the Currency (OCC) compiled a list of “gotchas” that point to several risk profiles, none of which are exclusive to banks:
Obviously, these recommendations can apply to all industries.
Prevention is all about planning. Before entering a business relationship with a vendor (or if you’re already thinking of filing for divorce), a company concerned about third-party risk should ask the following questions:
These questions should be answered with solid documentation, including a map of third-party relationships, performance reports, audits, reviews, and a comprehensive due diligence report. If a company is serious about security, what was previously agreed upon with verbal promises has to be supplanted with a paper trail.
Trust is necessary in every relationship, but too much blind trust, while expedient, can potentially open your company to breaches and legal liability. As we’ve seen with the Target case, sorting out a large data breach is a long and costly process.
No two vendor relationships are alike, and not all vendors should be treated the same or painted with the same security assessment brush. As it is, traditional vendor assessments fall short in two areas:
Unfortunately, you can’t leave house keys under the doormat for the plumber. Businesses put themselves at serious risk if they expect their third parties to do the right thing, or if they assume their vendors are infosec-savvy. Perhaps “Trust but verify” should be replaced with, “Confirm partners take security as seriously as you do.”
This article was originally posted on Network World.
Image credit iStockphoto.