People make mistakes and it seems we do not learn our lessons. The stakes are high when securing data. Once you’ve “let the genie out of the bottle,” and experienced a data breach, there’s no undoing it. Once this has happened, the best you can do is mitigate the damage and learn so that you can avoid a repeat performance. The best way is to learn from the mistakes of others. So, what can we learn?
The Target data breach in 2014 that exposed personal information and credit card records on more than 110 million shoppers started with a successful phishing email sent to one of Target’s HVAC vendors. In this example, the HVAC vendor was using a free version of Malwarebytes anti-malware. This version is not licensed for corporate use and does not perform real-time scans. Target’s vendor was not following basic cyber-security best practice.
In the case of the Equifax breach in 2017, the company blamed the breach on outside open source software they used (Apache STRUTS). However, Equifax failed to apply a patch for the vulnerability in a timely manner. Former CEO Richard Smith admitted in his written testimony that the Department of Homeland Security sent Equifax a notice of a patch required to address the software vulnerability in March 2018. The IT team at Equifax did not adequately apply the patch that caused the breach in late July. In this example, while the software vendor might have been more persistent with communication about the patch, it is a good reminder that the ultimate responsibility lies on Equifax’s shoulders to protect the 140 million US consumers whose personal data was compromised.
Fast forward to March 2018, and cybersecurity firm Kromtech discovered that MBM Company, one of Walmart’s jewelry vendors, had left a database on Amazon’s web server exposed to the public. The jeweler exposed over 1.3 million records that contained shoppers’ names, addresses, phone numbers, plaintext passwords and payment information. The database contained records from other retailers also, and records were seen dating back to the year 2000. “The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance. Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them,” according to Kromtech Security’s report.
The list goes on and on. How do you evaluate your vendors? It is important to perform due diligence with every vendor that might touch your data. Here are a few suggestions for your checklist:
Vendor Due Diligence Checklist
Information Security Program
- Ask for evidence of the vendor’s security policies and check references.
- Consider asking for a Business Associate Agreement (BAA) which is required for HIPAA, regardless of if HIPAA applies or not. The reason you would ask even if it does not apply is that their response is information. Any reputable vendor will know about this regulation and when it applies.
- Ask about the last time they performed a security risk assessment. Have they had a 3rd party audit of their security and compliance efforts?
- Do they have business-grade antivirus and/or anti-malware defense software installed on all desktops, laptops and servers? Do they have business-grade network defenses, such as actively maintained intrusion detection and prevention?
- What software do they use? How is it patched? Are all operating systems fully supported? Are all systems under warranty?
- How is your data backed up? What are the recovery point and recovery time objectives? Is the data backed up in multiple locations?
- Do they perform criminal background checks on their employees?
- How do they train their employees about IT security?
- Obtain a non-disclosure agreement. Your 3rd party vendor should take responsibility for securing your sensitive data as seriously as you do.
- Do they have cyber-liability insurance? Understand how this coverage protects the vendor and how it might or might not protect your firm. Your vendor’s insurance may not cover the companies they support except for certain scenarios, so you may need your own coverage additionally.
Manage the Termination Process
When you part ways with your vendor, ensure that there is a professional transition.
- The termination clause in your agreement should address terminating access to your network, devices and data.
- Request that your vendor sign-off that they have returned all physical copies of your data, destroyed any copies, and will maintain the confidentiality of all proprietary and protected information gathered during the engagement.
- Notify the appropriate parties about the terminated relationship and prohibit the further exchange of or access to company data.
Once you have vetted and selected a vendor with a good reputation and strong policies, I advise checking in with them on updates. Ultimately, you need a certain level of trust with anyone your business engages with. Remember you are still ultimately responsible for what happens with your firm’s data. Careful due diligence, reference checking and periodic review can reduce your risk.