• United States




Using third-party vendors? Keep a close eye on them

Jun 17, 20154 mins
IT LeadershipSecurity

Cybersecurity is only as strong as the weakest link. If your organization is using third-party vendors, policing their activity is critical to cybersecurity.

Few can forget the theft of 110 million customer credit cards from Target in December 2013. But not as many know how hackers gained access to such a vast amount of sensitive information. How’d they do it? By compromising the security of a third-party vendor, a Target branch store’s HVAC provider.

Turns out a phishing email duped an employee at the HVAC company, Fazio Mechanical, into installing a piece of malware on their computer. With inadequate anti-malware software in place, the program slipped by undetected and then handed over login credentials to the hackers. With the keys to the castle in hand, the hackers ran wild and stole everything they could.

This massive heist is still being sorted out in the courts, but it serves as a great example of how security is only as strong as the weakest link. While companies pay enormous sums to lock down their most sensitive data (to the tune of $77 billion globally this year, as forecasted by Gartner), how much are they still leaving exposed via third parties?

While the cost of a serious data breach is hard to calculate, it is generally accepted as high. One report estimated it at $400 million for 70 organizations in various industries globally. The question is what the enterprise can do to protect itself from third-party vendor security breaches.

Treasury Department Gets into the Act

Responsible for protecting customers’ money, financial institutions are dealing with the problem of cybercrime. As this threat has grown to include every industry, their investigations into preventing third-party vendor data breaches can provide some insight for prevention.

For example, the Office of the Comptroller of the Currency (OCC) compiled a list of “gotchas” that point to several risk profiles, none of which are exclusive to banks:

  • Failure to properly assess, understand, and document the risk and cost of outsourcing services.
  • Failure to perform proper due diligence and ongoing monitoring.
  • Entering into contracts without a proper assessment of the third-party’s risk controls.
  • Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
  • Engaging in third-party relationships without a formal contract, or with inadequate contracts.

Obviously, these recommendations can apply to all industries.

Questions to Ask

Prevention is all about planning. Before entering a business relationship with a vendor (or if you’re already thinking of filing for divorce), a company concerned about third-party risk should ask the following questions: 

  • Why are these services being outsourced in the first place?
  • Is there any possibility the third party will subcontract?
  • Do they have data centers based overseas?
  • What data is being shared?
  • What is the plan in the event of a third-party failure or breach?
  • How often are vendors assessed?

These questions should be answered with solid documentation, including a map of third-party relationships, performance reports, audits, reviews, and a comprehensive due diligence report. If a company is serious about security, what was previously agreed upon with verbal promises has to be supplanted with a paper trail.

Trust is necessary in every relationship, but too much blind trust, while expedient, can potentially open your company to breaches and legal liability. As we’ve seen with the Target case, sorting out a large data breach is a long and costly process.

Re-Evaluating Vendor Assessments

No two vendor relationships are alike, and not all vendors should be treated the same or painted with the same security assessment brush. As it is, traditional vendor assessments fall short in two areas: 

  • Rating reports largely produce an arbitrary score which fails to encompass the bigger picture. Important questions to ask instead when dealing with a vendor include, “What is the nature of this relationship?” and “What is our potential exposure in the event of an incident?” 
  • Regular reviews are typically performed on an annual basis which hardly bring urgency to the issue. In potentially risky relationships, continuous monitoring done in real-time may be necessary.

Unfortunately, you can’t leave house keys under the doormat for the plumber. Businesses put themselves at serious risk if they expect their third parties to do the right thing, or if they assume their vendors are infosec-savvy. Perhaps “Trust but verify” should be replaced with, “Confirm partners take security as seriously as you do.”

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.