I’ve been reading with wonder, as I’m sure many of you have, about the seemingly endless parade of breaches for companies small & large. Increasingly, it isn’t the company reporting the breach that is the cause of the issue; rather it has been partners or service providers to those companies.
Recently I read about a breach to the Reznik Group, a top 20 CPA firm. The breach didn’t actually happen to Reznik, but instead happened to a service provider. In fact, it was even a former service provider, AssureCare Risk Management, Inc. (“ARM”). Kudos to the Reznik Group for notifying the affected people, even though to me it seems that ARM should have done that notification (and they may very well be doing that by now). ARM’s systems were breached by an unknown, unauthorized person, and data may or may not have been taken, according to this articlehttp://www.sunherald.com/2011/08/12/3345267/reznick-group-notified-of-potential.html
This is just the most recent in a series of breaches to service providers, similar to the Epsilon breach, (more on that here: http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands) which will draw attention simply because of the company whose information was accessed. These breaches lead me to wonder what types of checks & balances are being performed on the service providers? It seems to me that some due diligence needs to be performed on each and every service provider you choose. Perhaps if more organizations implemented an Information Security Management System based ISO 27001 guidelines, their security posture would be clear and concise to those who choose to do business with them. Almost as important as the actual service someone is providing to your company is how their security will hold up when it matters most.
We need to understand the risk that is involved when we trust our customers’ precious information to anyone. It is not safe to assume their security is solid, nor is it safe to hope they won’t get breached. The right thing to do is to ensure their security posture is exactly where it needs to be. If they’re not certified in some way, SAS70, ISO 27001, or otherwise – get in contact with us at HALOCK Security Labs and we can perform a risk assessment on them for you, so you can understand everything you need to know about them prior to signing on the dotted line. Your company and your customers will appreciate it! And – it just may keep your company’s name out of the news for all the wrong reasons.