People make mistakes and it seems we do not learn our lessons. The stakes are high when securing data. Once you’ve “let the genie out of the bottle,” and experienced a data breach, there’s no undoing it. Once this has happened, the best you can do is mitigate the damage and learn so that you can avoid a repeat performance.
The Target data breach in 2014 started with a successful phishing email sent to one of Target’s HVAC vendors. In this example, the HVAC vendor was using a free version of Malwarebytes anti-malware. According to, “Email Attack on Vendor Set Up Breach at Target — Krebs on Security,” this version is not licensed for corporate use and does not perform real-time scans. Target’s vendor was not following basic cybersecurity best practice.
In the case of the Equifax breach in 2017, the company blamed the breach on outside open source software they used (Apache STRUTS). However, Equifax failed to apply a patch for the vulnerability in a timely manner. Former CEO Richard Smith admitted in his written testimony that DHS sent Equifax a notice of a patch required to address the software vulnerability in March 2018. According to the article, “1 Prepared Testimony of Richard F. Smith before the … – House Docs,” the IT team at Equifax did not adequately apply the patch that caused the breach in late July. While the software vendor might have been more persistent, the ultimate responsibility lies on Equifax’s shoulders to protect the 140 million U.S. consumers whose personal data was compromised.
In March 2018, cybersecurity firm Kromtech discovered that MBM Company, one of Walmart’s jewelry vendors, had left a database on Amazon’s web server exposed to the public. The jeweler exposed over 1.3 million records that contained shoppers’ names, addresses, phone numbers, plaintext passwords and payment information. The database contained records from other retailers also, and records were seen dating back to the year 2000.
VENDOR DUE DILIGENCE CHECKLIST
- Ask for evidence of the vendor’s security policies and check references.
- Consider asking for a Business Associate Agreement which is required for HIPAA, regardless of if HIPAA applies or not. The reason you would ask even if it does not apply is that their response is information. Any reputable vendor will know about this regulation and when it applies.
- Ask about the last time they performed a security risk assessment. Have they had a third party audit of their security and compliance efforts?
- Do they have business-grade antivirus and/or anti-malware defense software installed on all desktops, laptops and servers? Do they have business-grade network defenses, such as actively maintained intrusion detection and prevention?
- What software do they use? How is it patched? Are all operating systems fully supported? Are all systems under warranty?
- How is your data backed up? What are the recovery point and recovery time objectives? Is the data backed up in multiple locations?
- Do they perform criminal background checks on their employees?
- How do they train their employees about IT security?
- Obtain an NDA. Your third party vendor should take responsibility for securing your sensitive data as seriously as you do.
- Do they have cyber-liability insurance? Understand how this coverage protects the vendor and how it might or might not protect your firm. Your vendor’s insurance may not cover the companies they support except for certain scenarios, so you may need your own coverage additionally.
- Review the vendor’s privacy policy.
- The termination clause in your agreement should address terminating access to your network, devices and data.
- Request that your vendor sign-off that they have returned all physical copies of your data, destroyed any copies, and will maintain the confidentiality of all proprietary and protected information gathered during the engagement.
- Notify the appropriate parties about the terminated relationship and prohibit the further exchange of or access to company data.
Once you have vetted and selected a vendor with a good reputation and strong policies, I advise checking in with them on updates. Remember you are still ultimately responsible for what happens with your firm’s data. Careful due diligence, reference checking and periodic review can reduce your risk. Stephanie Kinsey
