Tag Archives: Vendor Cyber Risk Management

Vendor. Cyber. Risk. Management!

I don’t know how to say this any more clearly, but vendors represent a huge risk to every organization.

Lion Air, the Indonesian parent of Malindo Air and other subsidiaries that were breached, confirmed the breach last week.

Why did they confirm it?  Perhaps they were being good corporate citizens.  An alternative explanation is that the Russian security firm Kaspersky (that the United States banned from federal systems, probably for good reason) outed them and warned customers in Malaysia and Thailand.

The breach compromised 46 million people’s data.

Lion Air cheerfully said that no credit cards – which are easily replaced –  were compromised.

What was compromised is passport information (which is difficult and expensive to replace), birth dates (which I have been told are very hard to replace), names, home addresses (I guess you could move) and other personal information.  But no credit cards, so relax.

Oh, yeah, the data was left in an unprotected Amazon S3 bucket – NOT AMAZON’S FAULT!

This is just one of many vendor induced breaches.  In June Upguard reported a terabyte of backup data belonging to Ford, Netflix and TD Bank was found unprotected on several Amazon S3 buckets.

Companies need to to create and implement a comprehensive vendor cyber risk management program.  This differs from the traditional vendor risk  management program which worries about whether a company has insurance and is  licensed and in addition considers how the data that is entrusted to them is being protected – either by the vendor, your company or both.  Many cloud providers, including Amazon, have what they call a “shared security model”, meaning that both parties are responsible.  In Amazon’s case, they provide the tools and the documentation, but you must use that information.  And frequently test. And test again.

Costs, fines and lawsuits as a result of this breach will no doubt cost Lion Air many millions of dollars.

One more consideration if you are wondering if you need a vendor cyber risk management program.

Colorado law (for those of you based here or with customers here) requires you to ensure that vendors are protecting your data before you share data with them, so by not having a vendor cyber risk management program you are actually committing a crime.

Source: ZDNet’s Dark Reading.


Misconceptions About Vendor CYBER Risk Management

I talk about the importance of vendor cyber risk management programs all the time.  Vendors have been at the root of many very major breaches such as Target and Home Depot and more recently Capital One.  Here are some thoughts around vendor cyber risk management.

  • The vendor is big and publicly traded so surely they are secure.  The source of the Capital One breach was Amazon.  Enough said
  • I don’t share non-public personal information with the vendor, so they are a low risk.  First, if a vendor is a trusted partner, the risk is high because, well, they are trusted.  If the vendor gets compromised and you receive say, a poisoned email from that vendor, you are more likely to open it and second, more and more laws address any personal information and not just non-public personal information.
  • The vendor is not publicly traded.  True, if the vendor is not public there may not be much information online, but that doesn’t stop you from asking for information.  In Colorado, for example, you are required by law to verify that a vendor can protect personal information before you let them have it.
  • I don’t share data with them electronically.  Think about a document storage company or a document mailing service.   They still represent a risk.
  • The vendor is well known so surely they are secure.  Is Target well known?  Marriott?  Equifax?  Sorry, size doesn’t protect you.
  • The vendor was already hacked, so its all good now.  There is a kernel of truth here.  Many times companies do improve their security after a breach, but there is no way of knowing without doing your own assessment.
  • The vendor is a big tech company – spent bazillions on their software – so surely it is secure.  Company’s data stored at Amazon is compromised all the time.  It may not be the vendor’s fault – you may not have configured things right – but your data is still compromised.
  • The Vendor won’t provide documents that we have asked for.  Often vendors can’t provide everything you might like but that doesn’t mean that you shouldn’t get as much as you can.  And then you have to make a decision as to whether you should do business with them.  If companies lose enough business they will change their ways.
  • We have reviewed the vendor’s security and it is good, so we do not need to worry about their vendors.  Nope.  Not the case.  There was a recent breach of about 24 million mortgage documents.  What happened?  The banks hired a vendor.  That vendor outsourced part of the work and that vendor was hacked.  Leaving the banks financially responsible.
  • I’ve never been hacked so surely my vendors won’t be either.  Hope is not a good security strategy.  Remember that it took Marriott 4 years to figure out they had been hacked.  The longest running undetected hack I know about was a tech company that was compromised for more than ten years.  They are no longer in business.   Bankrupt and sold off for scrap.

How strong is your program?  Dealt with it now or deal with it after a breach.  Now is cheaper, I promise.

Vendor Risk Management Common Misconceptions

If yesterday’s post (on Asus) and many of my posts in the past are any indication,  supply chain risk is a huge problem and not very well handled at many companies.  Part of the reason why is all of the misconceptions we have.  Here are a few and why they are misconceptions:

The vendor is a large company; surely they have a great security program.

Equifax was a vendor to thousands of companies.  No problem here.

Marriott was a vendor to millions of customers.  Any problems?

The DoD Office of Personnel Management had 25 million customers.

You get the idea.

We haven’t given the vendor any Non-public Personal Information (NPI) so there is not much risk.

More states are shifting the standard of care to personally identifiable information (PII).  That is a much bigger footprint.  If the vendor has your customer’s PII and the vendor has a breach, guess who is on the hook legally?  Answer: you.  Because you picked the vendor.

The vendor is privately held, so we can’t get any information on them.

Even if the vendor is privately held you can ask for information.    You can ask for an accountant’s statement.  You can ask about their cybersecurity program.  You can ask for a lot of information.  Do so.

We don’t give our vendor data in electronic format, so there is not much risk.

While paper is lower risk, it is not no risk.  Your shredding service only gets paper.  Likewise your document storage vendor.  Consider each situation carefully.

The vendor’s security is probably good because they are well known.

Target is well known.

Home Depot is well known.

Marriott is well known.

And hundreds of others.  Any questions?

Our vendor was hacked, but they say that they fixed the problem.

Maybe, but maybe not.  It depends.  Did they put a band-aid on the problem or did they fix the systemic issues underlying it.  Ask questions.  This will likely take a bit of digging, but do it anyway.

This vendor has a breakthrough product; surely their security is good too.

Again maybe, but maybe not.  Sometimes breakthrough features are deemed to be more important than security and privacy.  Don’t assume.

The vendor won’t give us what we ask for so we are out of luck.

Maybe.  How important is what you are asking for?  Should you consider a different vendor?  Will they let you look at it but not keep it  (maybe in person or maybe over a web conference)?  Is there alternative information that would work?  They do likely want your business, so engage them to help you figure it out.

The vendors security program looks strong, so their third parties (our fourth parties) are strong too, right?

Maybe, but that is a bit of a stretch.  Review their vendor cyber risk management program first before you make that assumption, especially if the fourth party has your sensitive data.

I would never fall for a phishing attack so I am sure that our vendor wouldn’t either.  We don’t need no stinkin’ training and neither do they.

That is so wrong on so many levels.  We have many stories of businesses that didn’t need training that fell for phishing scams, lost sensitive data or even lost hundreds of thousands of dollars.  While training doesn’t fix everything, it is important.  Don’t skip the training and training is not a one time event.

These are just a few of the misconceptions, there are many more.

If your vendor has a breach, you are on the hook.  Maybe they are too, but you are first and foremost.  Your customers look to you to protect their data.

If you need help with your vendor cyber risk management program, contact us.

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.


Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .