Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.
Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.
According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.
92% of the firms don’t have a supply chain risk management process.
We have heard of law firms being targeted. Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.
Do your vendors have the ability to log in to your systems? You might say that if the answer to that question is no then you are safe. Maybe not.
If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you. If they can log on to your systems, the risk is even higher.
My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.
Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know), who is getting the black eye is you, not them. Nobody remembers the name of the heating contractor that started the Target breach. And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.
Food for thought.