Your organization may be cybersecure, but are your vendors?


March 5, 2019

It all started with the HVAC system.

Image of man on laptop with blue security lock signifying vendor risk management

Hackers who aimed to breach the network at Target Corporation, one of the world’s largest retailers, first had to find an initial point of entry – a vulnerability, however obscure, that would give them just enough access to begin tunneling in.

Thanks to a successful spear phishing attack on a third-party vendor, they found what they were looking for.

Fazio Mechanical Services, the vendor, utilized digital-era technologies that enabled it to remotely control its equipment, thus increasing efficiency and cost. The downside: cybersecurity risks, not only to the vendor but its big corporate customer.

Having spear-phished their way into Fazio’s network, the hackers infected it with malware that eventually yielded credentials they could use to get into Target’s systems. Once in, the hackers uploaded malicious script to a vulnerable web application, identified attack vectors, gave themselves domain admin privileges, and eventually threaded their way to the company’s Point of Sale equipment.

The end result? Personally Identifiable Information (PII) of 70 million customers was compromised. Debit and credit card credentials to the tune of 40 million were obtained and sold on the black market.

The breach remains one of the largest and most notorious in history – and it continues to serve as a cautionary tale.

Most companies and organizations entrust service providers with various business functions. An external company might be hired to provide physical security, for example. An HR consultant might be entrusted with screening candidates for employment. A copy machine supplier might install and maintain IP-enabled copiers with a link to the corporate network. Digital intertwining of this kind brings huge gains, but also some serious risks. Just one seemingly small failure – for example, failing to reset the default password on that brand-new, state-of-the-art printer – can provide cybercriminals with a vector for attack.

What should organizations do to manage the risk? The National Institute of Standards and Technology (NIST) defines five best practices as part of its Cybersecurity Framework that organizations can use to manage cyber risks:

  1. Identify.Recognize and understand what specific threats might affect your organization.
  2. Protect.Determine what steps need to be taken to close off these threats, and then implement the steps. 
  3. Detect.Your cybersecurity team must have the capability to detect an incident-in-progress.
  4. Respond.The response to a breach or other incident should not be ad-hoc. Scenarios should be analyzed and responses devised well ahead of an actual attack.
  5. Recover.With cybercriminals active 24 hours a day, the question for most organizations is not “if” but “when.” While prevention remains crucial, the reality is that a breach will happen sooner or later. What steps are in place to minimize its impact?

For organizations, there’s a double challenge: not only must they implement best practices of the kind outlined in the NIST framework, but they must hold their vendors and contractors to account as well. 

One increasingly popular way to do this is by developing a Vendor Risk Management Program that provides a systematic approach to ensuring that secure practices are in place across the many third parties that may provide services to an organization. Through such a program, a company can define requirements to be included in vendor contracts. It can develop policies and procedures for performing due diligence with regard to a potential vendor. It can incorporate regular audits and assessments as part of the process.

Developing and implementing an effective vendor risk management program is neither easy nor cheap. It can take a formidable amount of time and labor to define all aspects of the program. Adequate personnel are needed in order to make sure the program functions as intended. While corporations may balk at the effort and expense, they must also consider the larger question: are they willing to sustain the damage – not only to the bottom line, but to the company’s reputation – caused by a major breach?

Security comes at a cost. The cost of not having such a program in place, however, can be exponentially higher.

Categories: Cybersecurity