Ajay Malik

World is not an iPhone, iPad, iWatch…

World is not an iPhone, iPad, iWatch... The world changed its direction a dozen years ago when Steve Jobs introduced a revolutionary new product to the world: the first Apple iPhone. And, today, the plummeting sales, plateauing of innovation and saturation of the market is perhaps
/
Bill Schmarzo

Using the Digital Transformation Journey Workbook to Deliver “Smart” Spaces

Key points of this blog include: Digital Transformation sweeps aside traditional industry borders to create new sources of customer and operational value Unfortunately, Digital Transformation and “smart” initiatives are struggling, and organizations will need a more pragmatic approach to successful execution per Forrester research Organizations must
/
Kayla Matthews

Addressing Third-Party Security Vulnerabilities in 2019

Third-Party Security Vulnerabilities

Organizations and businesses often spend a lot of time worrying about internal security, both online and off. Infrastructure is often put in place with security front and center, as a means to mitigate potential risks and data breaches.

Unfortunately, it doesn’t matter how secure a network or infrastructure is, because there are still ways companies can be attacked.

Third-Party Security Vulnerabilities

 

Third-party products and services are integral to a lot of businesses and are included in a wide variety of processes.

Auditing, compliance monitoring, vendor and partner support, hardware and software monitoring, maintenance and troubleshooting — all these applications may require the use of third-party tools and services. Unfortunately, every single one of them is vulnerable to an outside attack, which means companies involved with them are, too. That also extends to customers and clients.

With each organization or service provider that is involved with business operations, the risks grow exponentially. In many cases, however, companies have to rely on a third party as there’s no other option. That’s where the idea of a third-party risk mitigation strategy or approach comes into play.

It’s necessary to identify, assess and mitigate certain risks associated with third-party dealings and services.

Why Do Third-Party Breaches Matter?

During April and May in 2018, it was revealed that a small group of retailers was compromised by a massive breach, including Best Buy, Sears, Kmart and Delta Airlines. In terms of goods and services, these companies are hardly related. However, they all relied on a third-party brand called [24]7.ai, which offers chat and customer service tools.

It turned out that [24]7.ai had been compromised via a particularly nasty strand of malware resulting in the breach of incredibly sensitive customer information. Some of the stolen data included credit card numbers, expiration dates, CVV info, customer addresses, names and much more.

Thousands of customers from each of the different companies — and then some — were affected by the breach, which was essentially out of the hands of said retailers.

The company was a third-party vendor that all these retailers were doing business with, and yet the breach affected them as if their own systems or networks had been compromised. It shows that third-party breaches can be just as damaging for organizations as internal ones, if not worse.

The [24]7.ai breach wasn’t the only one that occurred last year, however. Additional high-profile attacks were carried out on brands like Saks Fifth Avenue, Lord & Taylor, MyFitnessPal, Universal Music Group, Applebee’s and many others.

Follow the Six-Step Plan

To mitigate the risks associated with third-party vendors and services, it’s always a good idea to follow a strict plan or strategy — ideally one that is set in place before striking up partnerships or signing contracts.

1) First, establish a vendor management or vetting program. Begin with an introductory assessment that reviews how secure a platform is and whether or not there has been a breach in the past. While looking at a new credit card processor, for example, it’s crucial to check if its systems were affected by a data breach before, and if it was, how things have been improved or updated since.

2) Rank all vendors and partners according to risk. Catalog them based not only on the risk they pose, but also the data they handle. If a vendor is riskier than the others on the list but does not deal in sensitive customer information, it may warrant ranking them higher. Furthermore, update this list regularly and often to ensure priorities remain in order.

3) When striking a new partnership or agreement, cover all the bases by ensuring the third party understands what security protocols should be followed, and what that means for general operations. Ultimately, a third party’s security solutions should be considered too, in order to get a grasp on how protected data will be after it’s exchanged.

4) Endpoint security is an absolute must when working with third parties. Ensure it’s been properly deployed and that core business systems are protected at all times.

5) Stay informed about industry events, especially third-party attacks and breaches. The National Vulnerability Database is an excellent resource for checking up on what’s happening.

6) Develop a plan for dealing with a potential breach or attack before something happens. Even if there are no sensitive details lost, it’s important to take proper action. Ensure that a network or access point is under control and no longer compromised. Secure existing data and any incoming information from further attacks. Lock down systems so any intruders who have yet to be identified cannot cause more damage. Watermark’s response to the infamous Spectre and Meltdown vulnerabilities has been exceptional and serves as an example of how to deal with third-party security vulnerabilities in the aftermath of discovery.

Organizations should always have a full understanding of the data available to them and within their reach. Where is it stored? Who has access to the systems and information? How is it protected, and are there ways around the security? How sensitive is the information and what kind of damage will occur if it’s stolen?

These are all critical components of understanding what, how and where certain data is being used, and how to better protect it.

By Kayla Matthews

  • Articles
Kayla Matthews Contributor
Technology Writer

Kayla Matthews is a technology writer dedicated to exploring issues related to the Cloud, Cybersecurity, IoT and the use of tech in daily life.

Her work can be seen on such sites as The Huffington Post, MakeUseOf, and VMBlog. You can read more from Kayla on her personal website, Productivity Bytes.

follow me

CLOUD PARTNERS | SPONSOR SERVICES

Imminent IoT Eye-Tracking Technologies To Transform The Connected World

Imminent IoT Eye-Tracking Technologies To Transform The Connected World

IoT Eye Tracking Smelling may be the first of the perceptible senses, but the eye is the fastest moving organ in the human body. While ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data and protect against data loss ...
The Massive Growth of the IoT Services Market

The Massive Growth of the IoT Services Market

Growth of the IoT Services While the Internet of Things has become a popular concept among tech crowds, the consumer IoT remains fragmented. Top companies ...
Firefox is testing a VPN, and you can try it right now - It’s part of the revitalized Firefox Test Pilot program

Firefox is testing a VPN, and you can try it right now – It’s part of the revitalized Firefox Test Pilot program

/
Last week, Mozilla said its Firefox browser would block third-party trackers for everyone by default and yesterday, Mozilla announced a new product that could give Firefox users even more privacy ...
The Guardian

Google, Facebook, Amazon and Apple asked to turn over internal documents

/
The US government’s investigations into big tech widened on Friday as lawmakers announced they were seeking internal documents from Google, Facebook, Amazon and Apple. Letters went out to the four ...
BBC Tech

Data on almost every Ecuadorean citizen leaked

/
Personal data about almost every Ecuadorean citizen has been found exposed online. Names, financial information and civil data about 17 million people, including 6.7 million children, was found by security company ...

TRENDING | TECH NEWS