Author: Terry Kurzynski, ISO 27001 Auditor, CISSP, CISA, PCI QSA
The Target® Breach in November 2013 lives infamously in our memories and has served as a pivot point for all businesses with regard to third party vendor management. After all, who could have imagined that the giant retailer would have been breached through a seemingly insignificant third party that didn’t seem to have direct network access?
The incident raised concerns not just in retail, but throughout the business world. Executives everywhere are questioning themselves: If Target could get hacked, and it happened through their HVAC vendor’s lapse in security, could it happen to us just as easily? As the business owner, it is your responsibility to ensure that your vendors are following appropriate security practices. After a data breach occurs, the trail of liability may lead directly back to your organization depending on how you manage(d) your risk. Organizations can’t outsource security breach liability with a contract.
Why is Vendor Risk Management a big deal now? That’s a good question, because vendor risk management has been required since the 1990’s through legislation and regulations such as the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The Federal Trade Commission (FTC) has also aggressively stepped up complaints (50 in recent years) against organizations for deceptive and unfair trade practices. Recently the FTC filed their decision and order in the matter of Accretive Health, Inc., they “failed to provide reasonable and appropriate security for consumers’ personal information it collected and maintained…”
We are all, in some way, custodians of other people’s data. As we share information with suppliers, vendors, partners, and clients, we have a responsibility to assess the risk of given transactions and business relationships. Our response and security measures need to be proportionate to the risk. Only then can an organization defend themselves in suits and legal actions when the inevitable happens. The key questions to answer will always be the same: Did you assess risk? Did you take action to treat the perceived risks to a reasonable and appropriate level? Do you monitor the ongoing risk levels and effectiveness of your vendor’s security?
The threat actors will continue to pursue the path of least resistance. Your vendors are the key threat vector that must be managed. The bad guys have figured out how to use leverage to hack through one organization’s security controls and gain access to all of their trusted parties and their data.
The risks associated with vendors and third parties has increased over recent years as the amount of outsourced products and services has soared. Organizations struggle with risk management internally and even more so with external entities. The focus must be on overall maturity with risk management; including vendors within the scope and boundaries.
The National Institute of Standards and Technology (NIST) is developing a very helpful (if long) document on how to assess your third party vendors for their security risk, and for determining whether their risk is appropriate to your organization. The document, NIST SP 800-161 is currently in its second draft and has one basic message: think of your third party vendors as the operators of your controls … and assess the risk of those controls accordingly. If those controls are too risky, then put in other controls to mitigate those risks. We’ll look forward to seeing further updates to the document, but in the meantime, we know the practical path they are pointing us down, and it’s a smart way to handle this rising security trend.