New Study Reveals Risks of Third-Party Vendors to IT

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://it.tmcnet.com/topics/it/articles/2014/05/23/379548-new-study-reveals-risks-third-party-vendors-it.htm

The Target (News - Alert) security breach is considered the largest in U.S.
retail history, and an article written by KrebsonSecurity highlights some
very impressive facts. The hackers stole 40 million credit and debit card
numbers and 70 million personal records, which cost credit unions and
community banks $200 million to replace. Target will also spend $100
million to upgrade its payment terminals and a considerable amount of time
and money answering to multiple lawsuits. If you're asking yourself what
this has to do with a third-party vendor, the answer is, the hackers
apparently used a heating and refrigeration company that was contracted by
Target to access the retailer's network.

A new benchmarking study conducted by Shared Assessments and global
consulting firm Protiviti clearly validates the Target incident. The 2014
Vendor Risk Management Benchmark Study cites security gaps in current
third-party risk management practices and reveals many of the dangers
organizations face when they outsource services and partner with
third-party vendors.

In the past, if an HVAC (heating, ventilation, and air conditioning)
company wanted to check the thermostat of one of its customers, it would
have to send a technician. However, today all the technician has to do is
log in and access the company's network and find out if all the thermostats
in 50, 100 or 1,000 locations are working. While this is very convenient
for the technician, the company with 1,000 stores has no idea what kind of
security the HVAC outfit is using to access its network.

This is precisely the point of the new benchmark study which asks how
organizations and companies manage data security risks when they lie
outside of their control. That is why it recommends a shift in the vendor
management landscape by moving from risk management to risk assurance.

"Vendors and service providers have an 'EZ-Pass' into companies' network
environments and are often granted access to the most sensitive data. When
outsourcing or partnering, companies need to exercise vendor due diligence
the same way they would safeguard critical assets and sensitive data in
their own possession. Companies can outsource the function but cannot
outsource the risk," said Rocco Grillo, managing director and global leader
for incident response and forensic investigations, Protiviti

In today's environment there is no difference between first and third party
data risks and many of the compliance rules that are in place give
regulators the authority to punish everyone equally. So the onus of vetting
the security system of the company you outsourced your work to falls on
you. It is up to you to continually assess the vendor program and implement
control measures to reduce or completely eliminate any liabilities around
managing third-party risks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!