TECH INTELLIGENCE: Safe suppliers

Listen to this article

Many businesses are aware of the ongoing increases in cyber-criminal activity and are working closely with their outsourced IT support provider to shore up digital defenses. That is great, but what happens when a company’s vendor — who typically has volumes of business clients’ sensitive data — gets hacked? A third-party cybersecurity incident can have serious repercussions. Beyond direct financial losses, third-party breaches can lead to operational damage and reputational harm.  

That is what happened earlier this year, when it was reported that the personal data of more than 50,000 current and former employees of Chicago-based snack giant Mondelez Global — manufacturer of staples such as Oreo cookies and Ritz crackers — was exposed, thanks to an alleged data breach at a legal partner, a global law firm. The hacked information included sensitive details like dates of birth, Social Security numbers, and home addresses. 

And companies cannot say they are ignorant of this kind of challenge. A decade ago, for example, a hacker called “Profile 958” stole the credit and debit card information of more than 110 million Target customers, reportedly using a phishing scheme to gain access to files of Fazio Mechanical Services, a Pittsburgh-based HVAC company that provided refrigeration services to Target and had access to Target’s electronic billing systems. Today, as supply chains get longer, threat actors can exploit security gaps at multiple points, extending the range of threats to 3rd-level, 4th-level, and other supply-chain partners. 

Businesses that work with a partner can take some proactive steps to help safeguard  their systems. One key action is to conduct risk assessments of third parties prior to executing any contracts. This kind of due diligence will include reviewing the third party’s cybersecurity protocols and testing them to ensure an effective incident detection and response plan is in place. Inquiries should also be made about the training the third party provides to its employees, contractors, and vendors. 

Once a business is satisfied with its partners’ cybersecurity protocols, contractual requirements should be developed requiring the third parties to maintain the policies and practices. Such contracts should reference the third party’s cybersecurity policies and procedures, and the security measures it uses to protect sensitive company data. 

The contract should also reference the third party’s duty to ensure that its subcontractors are bound by the same cybersecurity policies and procedures, and that the third party maintains an inventory of its subcontractors. Data retention and timely data breach notification requirements should be noted in the contract, since this will help ensure legal and regulatory compliance in the event of a third-party data breach. Finally, liability and indemnity limitations and other insurance details should be addressed in the agreement. 

After third-party partners have been vetted, a company should periodically check to ensure that the vendor restricts information access to areas required for the performance of its duties and limits it to individuals who need to access the specific data. Businesses should also require vendors to complete risk-assessment questionnaires and report any changes to their information security programs in a timely manner. 

Businesses may wish to supplement these and other formal actions with informal ones that may yield further valuable information about third-party partners. One such action is to stop by a partner business’ office and ask to speak with an executive — if they value you as a customer, they’ll find a way to clear their desk for a few minutes and make time for you. And consider chatting with a receptionist and other “non-official” employees and ask how their firm is doing: whether it’s a stressful atmosphere or a relaxed one, and if the vendor is growing or if it’s shedding employees. These sideline indicators can provide clues about the “health” of the vendor and help to signal if you should be concerned about the vendor’s access to your sensitive data and systems. 

Threat actors are constantly working on their plans and upgrading their game, but businesses that invest the same level of diligence in their own digital environment stand a better chance of deflecting hackers. 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.