A Costly Reminder: Third Party Risk Management is Critical
Posted January 4, 2016
By Steven Weinstein
We’ve all heard time and time again how important insight into third parties (or the supply chain) is when it comes to an organization’s overall risk posture. Of course we all remember the poster child example when the giant retailer Target announced they had been breached in December 2013. After a spear phishing email containing a malicious attachment initially compromised a HVAC vendor in Target’s supply chain, network access allowed attackers to move laterally into Target’s network, ultimately allowing the installation of malware on point-of-sale devices. Over the course of the attack during the peak holiday shopping season, attackers managed to exfiltrate the credit card information of over 40 million customers.
Fast forward to mid-July, 2015 for one of the more recent examples of a breach resulting from a third party. Costco, Sam’s Club, Walmart Canada, CVS, and Rite Aid were all impacted by a data breach at PNI Digital Media, which managed and/or hosted photo services for the large corporations.
On September 29, 2015, Costco issued a statement to potentially impacted customers stating that attackers had access to PNI’s systems from June 19, 2014 to July 15, 2015 before the intrusion was discovered. The statement includes that “there is a possibility that if you logged on during the affected time period, your email address and password were compromised. If you created a new account during the affected time period, your name and phone number also may have been compromised. We do not believe, however, that stored information or your photos were at risk”.
There is no mention, however, of credit card data being stolen until looking at the text below, copied from the referenced FAQ page :
“Q: Was my credit card information taken?
A: Our investigation indicates that some Costco members who typed credit card numbers onto the site during the compromise window had credit card information (including security code and expiration date) taken, along with other information that may include name, phone number, billing address, email address, password and ship-to information.”
Because of such a large attack window, the potential impact on the companies and their customers is massive. A single weak link in a company’s supply chain can have significant monetary (investigation, mitigation, remediation, credit monitoring services, etc.) and reputational costs. What made this attack so significant is the fact that each of these multi-billion dollar companies was attacked by a common link in their supply chain. Don’t be surprised if attacking via third party vendors common to large companies becomes a trend.
Of course national and multi-national companies can have thousands of third party vendors and managing risk from all of them is impossible, but here are some quick and helpful tips for monitoring third party risk:
- Identify your most critical third party vendors and points of contact on their security teams
- Develop third party or vendor risk management policies and procedures and agree upon them with third parties before doing business with them
- Require third parties to disclose information about their security practices
- Conduct annual or semi-annual security (cyber and physical) audits of vendors
- Make third party risk management a core component of the Mergers & Acquisitions processes
- Continuously monitor third party public IP space and correlate with all sourced threat intelligence to identify risks
- Collaborate with industry partners through ISACs (Information Sharing and Analysis Centers) to identify common links in the supply chain and support those links
- Have a chat with LookingGlass experts to learn how our product portfolio can minimize risk from third parties by contacting us here.
The bottom line is that investing time and resources in creating and maintaining an effective third party risk management strategy is much less costly than that of a major breach suffered because of a vendor in the supply chain.