Security chiefs everywhere are growing more concerned about how open businesses should be with their 3rd party providers. A range of valuable information is given to these suppliers, and once they have it, the businesses lose direct control. Even the most innocent connections can be especially as determining the position of one point in space relative to another. The attackers who cracked Target exploited a web services application that the company's HVAC (air conditioning) vendor used to submit invoices.
Take the data breach at Target in 2013. According to Thor Olavsud, rumors started that Target had been compromised, and soon it would eventually become clear that attackers had gotten the Personal Identifiable Information (PII) of 70 million customers as well as data for 40 million credit cards and debit cards. CIO Beth Jacob and Chairman, President and CEO Gregg Steinhafel resigned. Target's financial damages may reach $1 billion, according to analysts.
“Third-party providers will continue to come under pressure from attacks and are unlikely to be able to provide assurance of data confidentiality and integrity," said Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members. “Businesses of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets."
His advice is that infosec (information security) specialists should work closely with those in charge of contracting for services to conduct thorough due diligence on potential arrangements. Durbin also said that it’s imperative that organizations have robust business continuity plans in place to boost both resilience and senior management's confidence in the functions' abilities. A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components. This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise.
Organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches.