The Target breach illustrated just how important vetting third parties is. The hack was successful for a number of reasons (including Target’s failure to act on the attack much earlier, when it was detected), but the initial breach happened through a small vendorwhich had single-factor remote access to Target’s network. It’s unclear what Target’s third party evaluation process was but it is absolutely clear that it didn’t work. Existing relationships with third party vendors can make evaluation difficult, as reliance on those vendors for specific services might be considered too mission-critical to disrupt. Companies must still do their due diligence; the good news is that it doesn’t need to be disruptive, assuming your third party is truthfully answering your questions about their security.
Red Flags to Watch For
The following are some warning signs that your third-party is not secure or being upfront about their commitment to security:
- No dedicated Information Security role (full time or consultant)
- Aversion to showing information about their security program
- Simplistic answers when asked about technical setups (e.g. “our firewall blocks everything”)
- Lots of buzz words but no real information provided
- Lack of recent audits (third party or internal)
- Generic-looking documentation
- Immature or non-existent incident response plan
- Inability to produce a Business Continuity Plan or Disaster Recovery policies
- Simple passwords, usually transmitted insecurely
- No two-factor authentication option
- Attempts to use their data center’s certifications instead of their own (SSAE16, ISO27001, etc)
- Exasperation (or worse) from their personnel when pressed about security
You can still consider doing business with these companies under three conditions:
- Make sure the terms and conditions in your contracts and agreements with the third party will cover your liability and ensure they will conform to your Information Security requirements for any data that they host or process,
- Ensure the right to audit them is included in these terms and conditions and
- Do not host or store any information that could be considered sensitive or confidential if you have any doubts about their security. This is especially true of Personally Identifiable Information (PII).
If third parties are overlooked or trusted without verification, a company risks a breach…the equivalent of handing your identification and sensitive information to a stranger on the street. Most risk metrics would call this unacceptable and if you’re even partially responsible for keeping people employed you should have the same point of view. If you see any of the warning signs from your vendor above, ensure you are covered in your contracts or find another vendor.