Investigations into security breaches over the past year show it's more important than ever for third-party security to be an integral part of every enterprise security policy. A recent security lapse at Lowe's occurred because of a third-party vendor's failure, yet the home-improvement giant was left scrambling to pick up the pieces and repair its reputation. As IT grows and outsourcing becomes more common, the industry as a whole is finally coming to understand the importance of securing third-party software alongside in-house IT assets.
The security breach at Lowe's was discovered in April 2014. The retailer was using a third-party vendor called E-DriverFile to manage compliance documentation. The vendor recorded and stored information — including names, addresses, dates of birth, Social Security numbers, driver's licenses and driving records — for current and former Lowe's drivers and system administrators.
According to FierceITSecurity, the vendor unintentionally backed up all that information, unencrypted, to an internet-facing server. The information was accessible to the internet at large from July 2013 until April 2014, when the error was discovered and corrected. In a letter to those affected, Lowe's vice president of human resources stated there was no reason to believe any of the information had been misused; however, the investigation suggests information may have been accessed while it was available online.
Lowe's provided a year of free credit monitoring to those affected, but the ramifications for the business went far beyond shelling out cash to help protect those who might have had their information stolen. This breach came amidst a number of high-profile security incidents, garnering far more press than it otherwise would have. Because of this, Lowe's had to overcome the public perception that it was lax on IT security — or risk having customers take their business elsewhere out of fear.
The harsh reality for modern enterprises is that if a breach affects your employees, partners or customers, the public perception and demanded restitution will focus on the company regardless of whether or not a vendor was truly at fault. When combined with the recent explosion in outsourced IT, third-party software and systems are truly becoming the new perimeters for enterprises.
Issues like the one at Lowe's happen because of a discrepancy between an enterprise's IT security policy and the security policies of the vendor it used. One would assume that a business as large and customer-centric as Lowe's would have established IT policies that either prevent the accidental backup of information or check systems for vulnerabilities that could expose data — but the same can't be said for the many vendors a company that large has to deal with. Even if well over 90 percent of vendors are secure, it only takes one breach to cause a major information security incident.
Solving this growing problem begins with effectively managing the relationship between the enterprise and the vendor. This means being explicit about the security measures that a vendor is required to have in place when contracts are drafted. Vendor security self-assessments are good to start, but they should be augmented by more in-depth reporting solutions such as vBSIMM or SIG. Even then, assessments and site visits can only do so much, and the cost of modern data breaches — both in restitution and in brand damage — necessitates a more robust solution.
Software supplied or hosted by third-party vendors needs to undergo the same scrutiny as software developed in-house. This means working with vendors to scan existing applications through a repeatable, policy-based process to ensure they meet modern security standards. It also means working with them to integrate security measures into their software development lifecycles to ensure that future code comes out as clean as possible, limiting remediation requirements.
While it's possible for CISOs to do the legwork and institute vendor security programs on their own, many are turning to dedicated software security specialists. These businesses leverage their experience in both understanding the most pressing threats to applications and getting vendors and enterprises to work together to make the compliance process as seamless as possible. Security experts work with enterprises to define third-party security goals, then bring in all parties to ensure code, software and systems are within the defined guidelines.
Whatever path an individual enterprise takes, the most important thing is understanding the risks third-party software poses. Even when an enterprise itself has little or no involvement with the development, management or hosting of a vulnerable application, if the company's brand is on a product, that company will take the blame if an incident occurs.
Photo Source: Flickr