Hacked! Companies at risk from an unlikely source

Most companies think they have their data security bases covered. But there may be a whole host of hacking threats you’re not prepared for – and it’s not necessarily coming from outside attackers.

Malware and other security threats may come from the vendors you do business with every day.

Think:

• payroll vendors
• janitorial and maintenance firms, and
• suppliers of all stripes.

Case in point: More than 70 million Target customers received an unwelcome Christmas present last year when their driver’s licenses, mailing addresses and emails were hacked. Some customers used Target store cards, but the majority used credit or debit cards.

Target investigated the breach and found the source: It was hit with a virus from a heating, ventilation and air-conditioning vendor that services many of its stores.

Not that it really mattered. Telling clients and customers, “It wasn’t our fault – it was our vendor’s mistake!” wouldn’t sell well or quell concerns that doing business at Target could be dangerous.

The company still hasn’t recovered from the tech disaster. While the company has apologized and been honest about the gory details, sales have suffered. Target could face more than a billion dollars worth of fines from the Federal Trade Commission.

Steps your IT department can take

So are any of the vendors your company shares data with a potential problem?

Here are four steps DarkReading recommends that can help answer that question:

1. Get the whole picture

Have IT look at where your organization uses vendors and what kinds of data they can access. You need a complete picture of the number of vendors, how they help your organization and – most importantly – whether you have the necessary level of protection for a “compromised” vendor.

2. Have them follow your standards

“Third-party” vendors should know your requirements for keeping data safe. Make sure IT is on top of this.

The more access vendors and suppliers have, the more stringent your security requirements should be.

3. Protect your data first

Are your firewalls and perimeter defenses keeping tabs on emails, reports and other data coming from vendors? They should be.

4. When possible, share only encrypted data

Encrypting data is still the best way for preventing attackers from reading and exploiting company info.