From restaurant take-out menus to soda supplies in vending machines to disabled security features on networked printers, your third-party relationships might be trying to attack you. And no, it’s not science fiction.
If you are browsing around the IT security groups on Google + or elsewhere on the web, you are well familiar with the renewed urgency around third-party vendors and IT security.
Target’s massive and sustained data breach has dominated the headlines with stories about its HVAC vendor ignoring phishing attempts and providing attackers access to the retail giant’s customer data, but according to Nicole Perlroth in a New York Times technology story last week, third-parties elements—like vendors or peripheral technology like printers, building systems, or surveillance cameras —are providing avenue after avenue for attacks on sensitive customer data, trade secrets, and employee files. And it’s a situation made all the worse by a lack of understanding or attention to the interconnectedness of networked systems, network access, and under-the-radar security vulnerabilities created by the interactions of all these elements.
Perlroth relates the example of attackers being foiled in their attempts to break into the network of a large energy company, but then accessing the company’s data by installing malware in a nearby restaurant’s online lunch menu that the energy company’s employees frequently accessed.
According to the Times story, this back-back-door vulnerability can be found in devices like printers, projectors, security cameras, vending machines, HVAC systems, lighting controls, and so on—basically anything that is digitally connected and controlled, whether for inventory management, building management, or whatever. And these vulnerabilities are often worsened by older operating systems such as Windows XP, which is no longer supported. Even a business that is diligent about its own security and system updates can easily fall prey to the absence of updating and security measures by its third-party relationships.
Frank Cummings, the CEO of AML Partners, LLC, has been developing risk assessments and risk mitigation tools for more than a decade, and he said that companies that neglect due diligence regarding these types of risk are making themselves—and their customers—incredibly vulnerable to cyber attacks.
“Businesses must tackle their due-diligence responsibilities that exist in every phase of their enterprise. This includes vendor risk assessments, the ongoing tracking of vendor risk and vendor performance, the management and tracking of IT risk, and so on,” Cummings said. “In-depth risk assessments need to cover the IT integration aspects of or with third parties. Nothing can replace proper due diligence—you perform due diligence on your customers and on your employees, so why not on your vendors? They have now become the weakest link in enterprise risk management.”
