The Target (News - Alert) security breach is considered the largest in U.S. retail history, and an article written by KrebsonSecurity highlights some very impressive facts. The hackers stole 40 million credit and debit card numbers and 70 million personal records, which cost credit unions and community banks $200 million to replace. Target will also spend $100 million to upgrade its payment terminals and a considerable amount of time and money answering to multiple lawsuits. If you're asking yourself what this has to do with a third-party vendor, the answer is, the hackers apparently used a heating and refrigeration company that was contracted by Target to access the retailer's network.
A new benchmarking study conducted by Shared Assessments and global consulting firm Protiviti clearly validates the Target incident. The 2014 Vendor Risk Management Benchmark Study cites security gaps in current third-party risk management practices and reveals many of the dangers organizations face when they outsource services and partner with third-party vendors.
In the past, if an HVAC (heating, ventilation, and air conditioning) company wanted to check the thermostat of one of its customers, it would have to send a technician. However, today all the technician has to do is log in and access the company's network and find out if all the thermostats in 50, 100 or 1,000 locations are working. While this is very convenient for the technician, the company with 1,000 stores has no idea what kind of security the HVAC outfit is using to access its network.
This is precisely the point of the new benchmark study which asks how organizations and companies manage data security risks when they lie outside of their control. That is why it recommends a shift in the vendor management landscape by moving from risk management to risk assurance.
"Vendors and service providers have an 'EZ-Pass' into companies' network environments and are often granted access to the most sensitive data. When outsourcing or partnering, companies need to exercise vendor due diligence the same way they would safeguard critical assets and sensitive data in their own possession. Companies can outsource the function but cannot outsource the risk," said Rocco Grillo, managing director and global leader for incident response and forensic investigations, Protiviti
In today's environment there is no difference between first and third party data risks and many of the compliance rules that are in place give regulators the authority to punish everyone equally. So the onus of vetting the security system of the company you outsourced your work to falls on you. It is up to you to continually assess the vendor program and implement control measures to reduce or completely eliminate any liabilities around managing third-party risks.