The Target breach was caused by a third-party vendor whose employees opened a phishing email. A service provider for AT&T was responsible for that company’s data breach revealed this summer. And the massive Home Depot breach happened because the hackers used a third-party vendor’s credentials to get into the retailer’s network perimeter.
Do you notice a theme here? Third parties are a growing risk to a company’s network, and we should expect these types of stories to increase in 2015, Steve Durbin, managing director of the Information Security Forum, told me in an email:
Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access, oftentimes to your most valuable data assets.
A November study by BitSight has confirmed just how much of a threat third-party vendors have become, particularly for the retail industry. According to a release:
BitSight observed that nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Retailers share sensitive data with hundreds to thousands of business partners globally; organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed and vulnerable to breaches.
The BitSight study also found two other important concerns: The response time to a retail breach has gotten longer from 2013 to 2014 and all types of threats to the retail industry, particularly malware, are on the rise. On a positive note, retailers are taking action to improve security after a breach has occurred. On one hand, that’s almost like locking the proverbial barn door after the cows escape. On the other hand, steps are being taken to prevent being a repeat victim.
As we move closer to 2015, retailers would be wise to work more closely with their vendors and consultants and ensure that everyone is on the same page when it comes to security practices. As Durbin said:
A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components. This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba