Cybersecurity and Third-Party Risk. Gregory C. Rasner
security tests, and regularly review information security policies. PCI‐DSS is tested regularly, and its standards are considered rigorous. It is not regulated by the government; instead, it's a group of companies that standardized their practices. Meaning, private companies collaborated to create what is nationally viewed as a success in security.
Third‐party risk, or what another company is doing to lower risk to your company, might seem like it places a CISO and the cybersecurity organization at a disadvantage because they cannot control what goes on at another entity. However, that is a myth. While a third party cannot be directly controlled, there are ways to direct and monitor their behavior and choices to greatly reduce your risk. Anyone who has ever been taught risk or worked as a risk professional knows the mantra: Risk can never be zero. In fact, anything is possible. Regardless of whether your company is using all the fancy technology and expensive software, or employing hundreds of cybersecurity professionals hunting for vulnerabilities, there still is a chance, or risk, of a breach.
The goal is reduce risk to a level that is commensurate with your company's effort to reduce it, based upon its risk appetite. This risk reduction effort of a third party requires a change in a company's cybersecurity approach and attitude. As we dive into the numbers, it will become apparent that not enough companies perform the required due diligence. Out of those that do, some do not perform it at the level necessary to reduce the risk. Often, risk reduction is performed as a compliance effort, and merely viewed as a checkbox to complete in order to keep regulators and auditors at bay. This attitude of “ignoring the risk” or “doing it as ‘checkbox’ security” has caused cybersecurity Third‐Party Risk Management (TPRM) to be absent from adequate attention and activity.
Compliance Does Not Equal Security
Compliance is not security, yet security is an important piece of compliance. By definition, being compliant is when your organization meets the minimum requirements for specific regulations at a specific moment in time. If we look at many of the companies on the recently breached list, it's likely all were meeting their regulatory obligations for compliance in their respective industries. In the case of Target when its payment system was hacked, it had just completed a certification of its PCI‐DSS. Most regulations are simply a form of deterrence (of things like insider trading or dumping chemicals into a river). Regulations discourage bad behavior either by people or companies.
Security is an ongoing activity—a continuously occurring activity and not one that occurs at a point in time. Compliance activities are performed as a checklist by internal or external auditors to verify that a company's team is following regulations. It's is an important activity that helps prevent bad acts. Employees and companies see these checks being performed, then are discouraged from doing bad things, such as ill‐gotten gains via insider trading or killing fish by dumping chemicals. Security has the dubious distinction of being sure data is not lost. Once data is lost, it cannot be retrieved—it is gone forever into the Dark Web or other places. The deterrent must come from the company's cybersecurity efforts, not the government regulators.
A company can be 100‐percent compliant and also be 100‐percent owned by hackers. For example, you can drive a car with seatbelts, an automatic brake system (ABS), collision detection and avoidance, blind spot detection, and more, all turned on. Say your car is up to current safety regulations, you, the driver, are all buckled up and sober. There should be no accidents or injuries. Yet, another driver who doesn't always pay attention to the safety warnings fails to perform their best practices while driving, resulting in a collision with injuries. You, a driver, were 100‐percent compliant, yet another driver was not.
Another difference in compliance activities is the timing of each action. Compliance activities are done at a certain point in time for what is present in terms of controls and checks. Another third party (i.e., auditors, regulators) or an internal team ensures that the company they're working with satisfies a set of requirements that allows it to continue to perform business. When all conditions have been satisfied, the compliance activity is finished. Security, however, is never finished. It is continually monitored, reviewed, and improved.
Third‐Party Breach Examples
Throughout many chapters in this book, you will find case study sections where we dive into some of these breaches. However, it is important to understand the scope and history of how often third‐party incidents occur. Many public breaches attributed to a particular company are, in fact, the result of a third party. One of the most well‐known examples is the Target breach. In fact, it was Target's Heating, Ventilation, and Air Conditioning (HVAC) provider that was breached to get access to Target's data.
Following are a few examples of the major third‐party breaches to show how easily they cross over any boundary (i.e., geographic, sectors, sizes):
Target (2013): The data of 70 million customers and 40 million credit/debit card information records was leaked by HVAC company Fazio Mechanical Services.
Lowe's (2014): Millions of drivers' records were exposed by SafetyFirst, a vendor that stored the exposed data in an online database.
JP Morgan Chase & Co (2014): Contact information for 76 million consumers and 7 million small businesses was exposed by a third‐party website used to sponsor a foot race.
Sam's Club, Costco, CVS, RiteAid, Walmart Canada, Tesco (2015): Millions of customer data records were hacked at PNI Digital Media, which is used for online photo ordering and printing.
T‐Mobile (2015): A total of 15 million personally identifiable information (PII) records were leaked by Experian, a customer credit assessment company.
Forever 21 and Hyatt Hotels (2017): An unknown number of credit card data records were released due to its POS system.
Uber (2017): Coding site GitHub's misconfiguration caused data for 57 million users to be exposed.
Equifax (2017): Highly confidential data for 143 million consumers was released due to an undisclosed third‐party tool used to build web applications.
Verizon (2017): The restricted data of 14 million customers was exposed by customer analytics provider NICE Systems.
Hard Rock Hotels & Casinos (2017): Sabre Corp, a travel reservation service, was exploited, causing a leak of credit card data for an undisclosed number of customers at 11 of its properties.
ShadowPad (2017): A server management software (made by NetSarang) used by hundreds of multinational and large companies worldwide exposed a still unknown number of protected data records.
Republican National Committee (2017): The PII for 200 million registered Republican voters was leaked via the third‐party Deep Root.
BevMo (2018): Online payment provider NCR Corporation was breached for over 14,000 BevMo customers.
Nordstrom (2018): A third‐party tool that managed the direct deposit permitted the personal information about Nordstrom's employees to be leaked.
Ontario Cannabis Store (2018): Canada Post, an online tracking tool, allowed the loss of the store's customer data.
SuperMicro (2018): A flaw present in the microchips used by major companies, such as Apple and Amazon, caused an unknown amount of data to be leaked.
Facebook (2018): Any platform that shared login credentials with Facebook resulted in the exposure of 50 million user accounts.
The Conservative Party (UK) (2018): CrowdComms, a conference application used by the Conservative Party, was the party responsible for the loss of protected data about Ministers of Parliament (MP), conference attendees, and journalists.
British Airways (2018): An undisclosed third‐party misconfiguration of JavaScript caused the financial and personal information of over 300,000 customers to be released.
University of Louisville (2018): Health Fitness, a fitness