Organizations manage risk. Risk has a lot of dimensions. Everything from not being able to get raw materials to hurricanes.
Possibly your biggest risk is your third party relationships. As companies continue to outsource parts of their supply chain to other companies, those companies have your data. And if those companies get breached, you get sued. That is the reality. You can sue your supplier, but in the mean time, you are on the hook and you get the bad PR.
Last week Key Bank admitted that some unknown number of mortgage customers’ data was exposed because an insurance vendor Overby Seawell Company was hacked. Since Key Bank had the relationship with the insurance vendor (I can’t quite tell if this is forced placement or some other arrangement), Key Bank is getting the bad press. After all, who has heard of Overby Seawell?
Uber announced a breach last week that appears to have major consequences. The source of the breach was a contractor. Basically, another name for a vendor.
The Target breach from 2013, one of the top 10 breaches of all time (110 million people) was caused by an air conditioning maintenance firm outside Pittsburgh that was compromised.
The Home Depot breach in 2014 was caused by a vendor. 109 million consumers affected.
The Under Armour breach in 2018, which affected 150 million MyFitnessPal accounts was due to a bug in the MyFitnessPal app, developed by a third party, which was purchased by Under Armour just before the breach.
A third party vendor to Netflix who did audio enhancement work for them was breached and an entire unreleased season of Orange is the New Black was stolen and released – before it even aired.
Both Sonic and Whole Foods suffered breaches when their Point of Sale systems, run by a third party, were breached.
I could go on all day.
Of course, the courts and regulators don’t care that you chose to outsource the work.
We are starting to see customers ask vendors to fill out long security questionnaires before giving them the contract.
Insurance companies are demanding proof that outsourcing arrangements are secure.
And, if you are in a regulated industry, regulators are asking lots of questions.
Even if the third party isn’t breached, if the third party (like Amazon Web Services) goes down, you are down and you are still responsible.
Also remember that if the vendor is not compliant, you own that risk too.
Since the problem is yours, you need to deal with it and it is not simple.
If you need help with this, please contact us.
Credit: Help Net Security