The Target breach illustrated just how important vetting third parties is. The hack was successful for a number of reasons (including Target’s failure to act on the attack much earlier, when it was detected), but the initial breach happened through a small vendorwhich had single-factor remote access to Target’s network. It’s unclear what Target’s third party evaluation process was but it is absolutely clear that it didn’t work. Existing relationships with third party vendors can make evaluation difficult, as reliance on those vendors for specific services might be considered too mission-critical to disrupt. Companies must still do their due diligence; the good news is that it doesn’t need to be disruptive, assuming your third party is truthfully answering your questions about their security.
The following are some warning signs that your third-party is not secure or being upfront about their commitment to security:
You can still consider doing business with these companies under three conditions:
If third parties are overlooked or trusted without verification, a company risks a breach…the equivalent of handing your identification and sensitive information to a stranger on the street. Most risk metrics would call this unacceptable and if you’re even partially responsible for keeping people employed you should have the same point of view. If you see any of the warning signs from your vendor above, ensure you are covered in your contracts or find another vendor.