Your Vendors May Be Weak Links in Supply Chain Breaches
Companies are always striving to improve the customer experience. They incorporate complex hybrid architectures of third-party cloud applications and services to streamline processes and make things more convenient. However, this evolution has exposed a crucial vulnerability. Your enterprise is only secure as your weakest vendor. While your own firm may be practicing its due diligence to ensure that the proper security controls are in place to protect your third-party data, intruders may be accessing it through a vendor gateway or attack avenue. The fact is that companies today have more to worry about than just themselves. They have to focus on their social responsibility, not just shareholder value.
According to a survey conducted in the fall of 2018 by the Ponemon Institute, 56 percent of organizations have had a breach caused by one of their vendors. 20 percent of breaches in the healthcare sector in 2017 alone were attributed to third-party vendors. The problem is prevalent in all industries. Not all of this has gone unnoticed to government legislators either. New compliance regulations such as the recent NYCRR financial regulations and Europe’s GDPR are making companies responsible for ensuring that the security efforts of their suppliers and vendors is up to par.
Every Connected Vendor is A Risk Point
CVS recently entered an agreement with Target to provide pharmacies and health clinics within Target stores. Target, having learned a valuable lesson from the infamous 2013 breach of 40 million credit cards, is requiring CVS to be on their own network with no access to Target’s information technology (IT) services. It is a lesson that many companies need to digest – it is not a good idea to give others access to your network.
In the case of the highly publicized Target breach, hackers stole the network credentials used by a Pennsylvania-based company that provided refrigeration and HVAC systems for Target. The company had access rights to Target’s network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores. The hackers utilized their access to move undetected throughout the Target network and upload malware onto the company’s Point of Sale (POS) systems. The rest is history. Target’s lack of proper network segmentation cost them dearly, and the Target case continues to serve as a posterchild of what not to do. The final cost in the end for Target was $202 million.
The Dark Overlord Strikes Orthopedic Clinic
In the summer of 2016, a notorious hacking group, called the Dark Overlord, orchestrated a trio of breaches involving the electronic records of more than 655,000 patients. The breaches involved three healthcare organizations, the largest of which involved Athens Orthopedic, an orthopedic clinic with 13 locations dispersed throughout the state of Georgia. The breach involved the exfiltration of a database involving some 397,000 records that included names, social security numbers, birth dates, contact information, and medical history.
The clinic had been in business for nearly 50 years and had a stellar reputation. They outsourced their IT needs to a local Managed Service Provider (MSP) with an equally positive reputation as well. Unfortunately, one of the MSP’s cloud application vendors used unsecured VPN connections for its customers, including the three compromised healthcare clinics involved. The clinic was forced to take a series of expensive measures to recover from the incident that included:
- Hiring an outside cybersecurity firm to conduct a complete audit of all their systems that included remediation steps
- Firing that third-party vendor and immediately seek a replacement
- Contacting hundreds of thousands of patients through the mail to inform them of the incident
- Obtaining additional legal counsel to combat lawsuits
While it is normal for large corporations to offer free credit monitoring to those whose data is involved in these types of incidents, Athens Orthopedic was unable to do so as the required costs could have caused them financial ruin. Bad press and damage control greatly increased to their breach burden.
You Must Be Able to Assess the Security Capabilities of Your Vendors
Your vendors are an extension of your organization and your cybersecurity responsibilities extend to them as well. Most companies find it challenging enough to oversee their own cybersecurity systems without having to inquire about those of their vendors. Security alignment should be a required factor in the initial vendor selection process.
- What questions should you be asking?
- How do you go about assessing their capabilities?
- What is their level of due diligence when it comes to your third-party data?
Get Peace of Mind by Knowing Who Your Partners Are
Know what questions to ask and what the responsibilities of your vendors should be. HALOCK can provide a thorough, logical review of your third-parties. Request your Third Party Risk Management (TPRM) workbook to get started.
Simplify your process – scope and quote your project.