The call is coming from inside the house!
THE PROBLEM:
No business operates in a vacuum. And as businesses grow, they invariably need to rely on third parties to operate. The simple act of moving a garage operation into a rented office triggers a litany of third party relationships — like building security, maintenance, and cleaning crews — each carrying their own risks. As operations increase in sophistication, businesses take on more third party risk by outsourcing critical operations such as IT, Legal, or HR. These relationships are essential to the growth of the business; however, these teams are given privileged access to company systems and information and thus, must be properly vetted.
WHAT’S THE WORST THAT CAN HAPPEN?
Well, ask Target executives. In 2013, Target suffered one of the worst breaches in retail business history. Target had a top-tier security infrastructure in place, but threat actors were able to circumvent these systems by stealing credentials from its less sophisticated HVAC vendor, Fazio Mechanical. An employee at Fazio clicked on a phishing email, inadvertently downloaded the Citadel Trojan (malware that would have been detected by Target’s antivirus software), which gave the threat actors a back door into Target’s systems. They leveraged this access to steal 40 million debit/credit cards and 70 million customers’ information. The breach cost Target roughly $290 million and scores of customers during the holidays.
The Target breach is exemplary because Target did so many things right. They had a top tier security team, 24/7 network monitoring, and sophisticated malware detection software. But they failed to properly vet and secure a single vendor, which led to one of the biggest and most costly breaches in history.
WHAT’S THE TAKEAWAY?
KNOW YOUR VENDORS! Look around your office and think about all the services that you rely on third parties to manage. Ask yourself,
Do they have physical access to your office?
What about your IT or OT systems?
Can they access your sensitive data?
If you answered yes to any of these, you should have a Vendor Management Program.
You’re probably thinking, this is going to take time away from value add services I provide to my customers and increase my bottom line. I encourage you to think about it a bit differently. You’ve spent years, perhaps decades, building trusting relationships with customers so that they choose you over your competitors. Imagine looking them in the eye and asking for their business after a breach. Do you think it will matter if the source of the breach was one of your vendors? Preserve those relationships and your reputation by protecting your customers. The same rationale applies to your employees as well.
WHAT ARE THE NEXT STEPS?
There are tons of resources online that can help you. Review them, but remember not to overcomplicate it; many of those resources are geared toward enterprise businesses. Strip away the inessentials and get going.
Personally, I like phasing projects and would break it down as follows:
Develop a list of critical vendors.
Build a checklist of questions for your critical vendors (making sure to request documentation where appropriate, such as a SOC Report).
Send the checklist to all your critical vendors (and prospective vendors).
Review responses and build a scoring methodology.
Pivot away from any vendors that fail to meet your minimum threshold.
The most important thing is that you don’t wait. Courts in shareholder derivative actions have held that ignorance is not a defense. They do however give points to companies that have a plan to improve their cybersecurity postures, even if those plans haven’t been fully implemented.
If you need help with this, reach out to me directly.
Stay vigilant.