Perhaps you remember Fazio Mechanical, the unfortunate HVAC contractor that was the access point to Target for its massive 2013 data breach. Using network credentials stolen from Fazio, attackers broke into the retailer’s network in November, 2013. Data containing the names, mailing addresses, phone numbers, email addresses and payment card information for up to 70 million people was compromised.
Fazzio Mechanical was far from an anomaly. Hackers often look for vulnerabilities in vendors’ security systems as a way into a target company’s network. Supplier networks are often more vulnerable than those of the target enterprise, which may have more resources devoted to security. Home Depot and Boston Medical Center are other examples of organizations that were breached as a result of compromised third parties. Recently an Indiana hospital paid hackers to unencrypt patient records that were targeted in an attack launched through an outside vendor’s account.
Network security is increasingly as a key consideration in vendor risk assessment, and companies are starting to integrate cybersecurity into their supplier qualification criteria. A number of cybersecurity software companies offer tools to assess vendor cyber hygiene, and many do a good job of identifying security flaws and summarizing exposures through scoring systems or in easy-to-understand reports.
Read more at https://www.advisenltd.com/blog/2018/02/20/vendor-cyber-risk-management/
Dave Bradford. (2018, February 20). Vendor Cyber Risk Management [Blog].
This blog post in an excerpt of the original. The content originally appeared in Advisen Blog.
Advisen Ltd. 