“A security system is only as strong as its weakest link.”
Unfortunately for businesses like Target the weak links in the cybersecurity more often than not arise out of relationships with third-parties. According to a survey conducted by Ponemon Institute in 2017, 56% of companies who suffered a data breach did so because of a vendor. Without exercising the appropriate level of due diligence, companies who suffer a data breach by way of third-party vendors invariably get stuck holding the proverbial bag.
Target and its HVAC Vendor
The Target breach should represent a cautionary tale for all businesses. In 2013, Target had over 40 million credit cards stolen from its point of sale systems. The weak spot exploited by the bad guys? A third-party vendor, but not just any vendor. The culprit was Target’s HVAC vendor.
To be concise, the Target breach occurred because:
- Hackers installed malware by way of a malicious email on the HVAC company’s machine.
- The hackers used this malware to steal HVAC company’s login credentials to Target’s vendor portal.
- Once inside Target’s vendor portal, hackers accessed Target’s point of sales devices (i.e., credit card machines) and installed additional malware.
- With malware loaded on Target’s machines, the hackers actively copied credit card information from customer transactions in real time.
- Hackers then sold the credit card information on the black market.
What seemed like an innocuous vendor with an assumedly simple job function acted as the gateway into some of Target’s most sensitive information. A nominal vendor fee produced a three hundred million dollar problem. Target was neither the first business who suffered a breach by way of a third-party vendor (e.g., the OPM hack), nor will it be the last (as noted by the recent hacks of Sears and Delta Airlines). Companies can spend all the money in the world on combating cyber threats, but the “throw money at the problem” practice is pointless without proper management of a vendor’s data security. Here are three overarching principles to apply in the oversight of vendor cybersecurity.
Use Risk-Assessment Questionnaires
Organizations should always ask vendors to complete a risk-assessment questionnaire prior to any engagement. A risk-assessment questionnaire helps organizations get a better sense of a vendor’s privacy and data security policies, processes, and practices. If a vendor has access to your IT systems and data, you cannot balance cost versus risk without first understanding what the vendor does and does not do to protect sensitive information.
Examples of questions may include:
- Does your organization have an information security program in place?
- Does your organization protect data-at-rest and data-in-transit?
- Has your organization ever suffered a security incident such as a data breach?
- Does your organization undergo periodic vulnerability scans or penetration tests?
In a recent enforcement action against a company, the FTC found that BLU Products Inc. failed “to perform adequate due diligence in the selection and retention of service providers.“ The FTC offered this key takeaway on vendor due diligence,
“Before you hire a company to process sensitive data, dive into due diligence. Understand how their services work, what are you giving them access to, and what needs to be done to conform their conduct to the promises you make to customers.”
Negotiate Key Security Provisions in Your Vendor Contracts
Today, vendor access to a company’s personal information (on employees, customers, contractors, etc.) is often essential to the provision of services. With this in mind, companies should always negotiate expectations for how the vendor will safeguard the entrusted information. This isn’t just a CYA measure but also legally required in certain states. Both California and Massachusetts laws explicitly require companies who use third-parties to contractually agree that these third-parties have reasonable security procedures in place.
At a bare minimum, contractual provisions in a vendor agreement should feature some of the following requirements:
(1) that the vendor comply with all applicable federal, state, and foreign (like GDPR) privacy laws, regulations, and industry standards;
(2) a definition on the standard of care the vendor must apply, such as industry standards like the NIST Cybersecurity framework or ISO 27001/27002;
(3) a definition of what a security incident is and corresponding reporting and response obligations; and
(4) an indemnification provision that allocates the risk of loss between the parties.
When a data breach occurs by way of a vendor, it’s imperative you have a document with applicable data security provisions as a point of reference in the ensuing discussion on failure and fault. I could (and will at some point in the near future) do an entire article on necessary data security provisions in vendor service agreements. This has to be something done on the front end of the relationship.
Continuously Evaluate and Monitor Vendor’s Data Security Performance
The work doesn’t end after you decide to work with a vendor. Companies should constantly re-evaluate a vendor’s performance and whether the vendor’s actions align with its promises. Moreover, companies should periodically reassess whether current vendors need access to specific information on a “need to know” basis. One of the biggest mistakes companies make is forgetting to terminate a vendor’s access to sensitive information at the conclusion of the business relationship. Or worse yet, a failure to ensure the vendor’s return, destruction or erasure of sensitive information upon the termination of the engagement.
Right this moment, I’d be willing to bet you know exactly how many people have keys to your house. Likely comprised of close friends and family, these are people you trust. People who you know will responsibly lock the door and ensure all of your stuff remains in its rightful place upon leaving. Can you say the same about the vendors you work with — vendors who have access to the crown jewels of your organization? If the answer is no, then don’t be surprised when a vendor’s data breach leaves you high and dry.
 Taken from the 2010 book from world-renowned information security experts Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno
 For a more technical and thorough explanation of events, see Teri Radichel’s excellent SANS Institute Case Study entitled, “Critical Controls that Could Have Prevented Target Breach.