Category Archives: Best Practices

Vendor Risk Assessment Is Critical For Business

It was reported across the media late last month that the Hilton Hotel chain had a credit card breach.  While some media is reporting that the dates of the attack are from April 21 to July 27 of this year, Brian Krebs is reporting that sources are telling him that the breach may go as far back as November of last year and may still be going on – a much bigger window, if accurate, than earlier reported.

What is more interesting is that – and we have seen this before – that the attack did not affect the front desk charges;  it only affected restaurants, coffee bars and gift shops.

Why would it only affect those credit card readers and not the ones at the front desk.

According to Krebs, those locations are franchised.  While that term is a little vague to me (many of the hotels themselves are franchises), I think what he means is that those operations are not run by Hilton and are not run by the hotel franchisee either;  they are operated by a third party.

Assuming this is accurate and I think it is, what it means is that one or more VENDORs that Hilton selected had poor security.

As more and more businesses outsource little bits of their business (besides this one, the Target, Home Depot, Office Of Personnel Management, the Zoo gift shop breach (a number of zoos that outsource their gift shops), this breach, T-Mobile (twice) and a number of others all started with a vendor.

I understand that a vendor risk assessment program costs money, but as Hilton and T-Mobile, this month, are learning, it is also expensive NOT to have a vendor risk assessment program.

It is a classic case of pay me now (have a vendor risk program) or pay me later (deal with the vendor being breached).

Just to be clear, a vendor risk assessment program will not STOP all breaches, but it will improve your odds, if you do it right.

If the program is a paper exercise and no one really cares about the results, then it won’t do any good.  On the other hand, if the business is willing to fire the vendor (not give them any more business) if their risk profile is not at the level that the company wants, then the vendors will improve their security.

Each company needs to identify their high risk vendors.  These are the ones that either have data which, if compromised, will cost the company a lot of money to deal with or have direct access to the company’s computer network.  Those are the first vendors to do a risk assessment on.

Vendor risk assessments – they are an important part of your security program.



Information for this post came from Krebs On Security.

AT&T Says Security Incidents Up 48% Over 2013

AT&T released it’s first public cybersecurity incident analysis report last week.  As a network security services provider, they get to see the attacks in real time.  One service that AT&T offers is to mitigate security threats in the network before they ever reach you.  They also offer cyber security consulting services.  AT&T’s competitor Verizon also produces a similar report every year.  Obviously, these pieces are marketing tools to sell cybersecurity services, but that does not make the data any less useful.

A few highlights from AT&T’s report released last week:

  • Security incidents are up 48% over 2013 (117,000 attacks a day)
  • DDoS attacks are up 62% over the last two years
  • 75% of businesses do not involve their full boards in cyber risk oversight

The report suggests 5 questions for every CEO.  While these questions are not  necessarily perfect, they certainly are good questions:

  1. Is your board of directors fully engaged in cybersecurity?
  2. When did you and your board review your last risk assessment?
  3. What makes you a target for attacks?
  4. What data is leaving your company and is it secure?
  5. Have I provided my security organization all the tools and resources they need to help prevent a security breach?

My additions or changes to these questions are:

For question 2, WHEN was the last risk assessment conducted?  If the answer is more than 12 months ago, it is time to conduct a new one.

For question 4, SHOULD that data be leaving the company at all and HOW do you know what data is leaving the company?

The AT&T report also says that about half of the large companies (their target market) are re-evaluating their information security standards in light of the recent high visibility breaches.  That means that more than half are not.  I suspect that smaller companies are even less likely to be re-evaluating their standards because they are more worried about top line sales numbers.  Unfortunately, that is probably the wrong choice.  Large companies (think Anthem or Target) have the resources to deal with the aftermath of these attacks and continue to do business.  This is much less likely for mid-size and smaller companies.

The report has many other useful recommendations and questions.  I would recommend that the chief security person in every organization read it.

The report is available on AT&T’s web site here.


What Happens When Online Services Go Down?

This afternoon, Google Apps went down for a few hours.  Judging by the activity on the Twitterverse, you would have thought the world had ended.  You can check the outage yourself by going to Google’s AppsStatus page on the web (

Google Tweet

It appears that Google Docs, Sheets, Drive and other parts of the Google Apps universe were down for 2-4 hours this afternoon, depending on which app and which user.

While that is not the end of the world, it certainly is inconvenient and if you needed to either work on or deliver a file which is stored in the cloud, it was probably a problem for you.

For most users, they probably left early on a Friday, especially on the East coast where sanity didn’t return until 5 PM.

There is a moral here.  Having a business continuity plan is always a good thing.

While storing things in the cloud is convenient – I do it myself – it does mean that if the vendor has an outage – and every one of them will at some point in time – you may well not be able to get to that file or service until it is repaired.

This is true for Amazon Web Services, Google Apps, Microsoft Azure, Salesforce and everyone else – nothing is 100% available.

Also remember that the cloud is likely more reliable than your own, internal servers.  If your laptop, tablet or server crashes, assuming a reboot doesn’t fix it, how long will you have to go without?  For most vendors, if you pay a lot, you may get the vendor to be on site in say 4 hours.  That does NOT mean that the part that you need will be there with him – that might not arrive until tomorrow or the next day.

So this doesn’t mean that the cloud is bad.  Or good.  It means that technology is imperfect and you need to consider the consequences of an outage, assume that it is going to happen and have a “Plan B”.

For some people, Plan B might mean call it a day.  However, if the outage affects the way that your customers connect with you or how your team supports your customers, that particular Plan B might not be the best answer.

THAT is why you need a business continuity PLAN.  For some applications, waiting is probably a perfectly acceptable plan – for a certain amount of time.  An hour.  A day. A week.  Likely not a month.  For other applications, that might be a terrible plan.

And planning is usually way better than running around the house or office doing your best chicken little imitation.  No, the sky is not falling.  But it might be very cloudy.  Or not cloudy enough.