By now, almost everyone knows what happened during the Target breach. In the late fall of 2013, a group of attackers uploaded card-stealing malware to a small number of point-of-sale (POS) terminals in the retailer's stores. That malware ultimately compromised some 40 million debit and credit card accounts over the span of about two weeks. In the months that followed, investigators learned the attackers gained access to the retailer's POS terminals by first compromising a HVAC company to which Target had granted external network access. Via the use of a phishing email, the attackers stole a legitimate set of credentials and used it to access Target's payment system network. Overall, this incident demonstrates that business partners and suppliers can spell trouble for an organization's security. Several years later, many companies have yet to heed that warning. Such is the overarching finding of a study conducted for Tripwire by Dimensional Research back in December of 2015. A total of 320 IT professionals were asked about the challenges that business partners bring to an organization's digital security. Of those who participated, while 81 percent of respondents stated they were confident about their organization's ability to protect sensitive data, just over half (55 percent) had the same level of confidence when it came to their company's business suppliers and partners. To address that concern, nearly half (43.6 percent) of respondents revealed their organization requires that its business partners and suppliers pass a security audit if they are to sign a contract with them. Other companies are more indifferent about the security of their supply chain, however. For instance, more than half of all organizations stated they have "bigger concerns" than the threat of a security breach at a supplier or partner exposing shared sensitive information. Perhaps it is this mentality that has led approximately one-third of companies to neither require security audits of its supply chain companies nor to refuse potential business partners and suppliers if they fail their audits. A quarter of enterprises don't even check to see if their suppliers meet their security requirements, with a lack of resources and/or understanding primarily to blame for that oversight. In reality, organizations need to care about the security of their supply chain, as it affects an their ability to securely process payments, implement the Industrial Internet of Things (IIoT), or fulfill other business-critical functions.
"Every organization needs to evaluate the security risks associated with their business partners," said Tim Erlin, director of IT security and risk strategist for Tripwire. "Partnerships provide an important growth mechanism for organizations today, but they also introduce risk. Organizations must invest in securing their points of interaction with partners."
For some ideas on how you can monitor the security of your supply chain, please click here. You can also view the results of Tripwire's survey in full here. Title image courtesy of ShutterStock