Third-Party Vendors: Are You on the Same Page?
Your Vendors May Be Weak Links in Supply Chain Breaches
(more…)Category Archives: Third-Party Risk & Vendor Risk Management
Insufficient Vendor Reviews = Rampant Third-Party Breaches
According to a survey conducted by the Ponemon Institute in 2018, 59 percent of companies have experienced a third-party breach of some type. Despite the high prevalence of these incidents however, only 16 percent say they effectively mitigate third-party risks. (more…)
PCI and Third Party Security Assurance: The PCI Council’s Guidance Summarized
Author: Viviana Wesley, PCI QSA
Some recent breaches of cardholder data have been the direct result of a successful compromise of a trusted third party to the breached entity. For example, a factor in the well-publicized breach at Target may have been compromised credentials of a trusted service provider with access to the Target internal network. In order to attain and maintain PCI compliance, all businesses must control the risk that third party service providers pose to the cardholder data environment. It’s important to understand the activities that you’ll need to undertake to manage this risk. (more…)
Vendor Risk Management Hype Extends Beyond Target®
The Target® Breach in November 2013 lives infamously in our memories and has served as a pivot point for all businesses with regard to third party vendor management. After all, who could have imagined that the giant retailer would have been breached through a seemingly insignificant third party that didn’t seem to have direct network access? (more…)
An Open Letter to Antivirus Vendors: It is Time for Antivirus Software to Flag Memory Dumping
Dear Antivirus Vendors,
On more and more incident response investigations, my clients (victims) have been asking the question “Why didn’t our Antivirus software detect the malware when we always keep it up to date?” I respond by telling them that they had targeted malware on their system. Their follow up question usually is whether antivirus software is relevant in this era of targeted threats and Modern Malware. (more…)
As of March 1 Your Vendor Contracts Were Supposed to be Updated. Were they?
The Massachusetts law 201 CMR 17.00 that forces US organizations to protect the PII of Massachusetts residents went into its final enforcement phase on March 1, 2012. By that date, no exceptions, businesses that send Massachusetts-based PII to vendors (service providers) needed to require in providers’ contracts that they will also abide by the law. (more…)