How your vendor contracts may be putting you at risk for cyberattacks

In 2013 the retailer Target suffered a massive data breach, with hackers stealing the credit card information of more than 40 million customers, and the addresses and phone numbers of more than 70 million.  You may ask, how could this happen to Target, a large company with enormous resources devoted to IT systems?   Just a few months earlier, Target had spent $1.6 million on a malware detection system, and had a team in India monitoring 24/7 for cyberattacks.

How did the hackers get into such a robust system?  First, they hacked into the computers of a refrigeration contractor servicing some of Target’s stores.  The hackers used “phishing” to do this.  Phishing uses emails that appear to be legitimate, often with an attachment pretending to be an invoice, a report, or some other business document.  The hacker sends the phishing emails to the employees of a target company.   When someone opens the attachment, malicious software (called “malware”) can enter that company’s network and start doing bad things. These actions by employees, usually unintentional, are now the most common form of cyber-intrusions.

This contractor did not have strong anti-malware software in place, which allowed the hackers to obtain login credentials for the contractor’s network. From there they probably moved into Target’s system through a portal used by Target and the contractor to track their business dealings.  And from there, the hackers got into Target’s point-of-sale (POS) system and stole credit and debit card information.

With all of the measures that Target had in place to improve its cybersecurity and prevent attacks, and the millions it invested in those measures, it got hacked because of weaknesses in a third-party vendor.  According to PriceWaterhouseCoopers, 22 percent of breaches in 2015 were attributable to outside contractors or vendors, up from 18 percent the year before.  David Cowan, partner in a prominent Silicon Valley investment firm, was quoted in the Denver Post on April 18, 2017 as saying, “For an enterprise today, managing cyber risk requires visibility into the extended network of vendors who store information about us.”

Every business enters into contracts with third parties such as payroll providers, HVAC contractors, IT companies, and insurance companies.  Those companies may have a connection to your network, or they may hold sensitive personal information on your employees or customers.  If those third parties are hacked, one of two things could happen.  First, as with Target, hackers could use the third party to gain access to your network and wreak havoc.  Second, if the vendor holds personal information, hackers could steal that data and sell it to others.  And those affected by the breach—your customers, banks, and the government—will come after you, because it was your data.

Responding to a data breach can be very expensive.  For large companies such as Target, the cost ran into the tens of millions of dollars, including IT fixes, lawsuits, and fines.  Even for a small or medium-sized business, responding to a breach can easily exceed $50,000, not to mention lost business, damage to your reputation, and potential lawsuits or and government enforcement actions.  In a recent survey, 40 percent of businesses with fewer than 250 employees reported that they could not remain profitable for longer than three weeks if they permanently lost access to essential data.

If one of your vendors suffers a data breach that affects your company, your customers, or your employees, who pays the cost of responding to the breach?  The hard costs of responding include notifying customers, providing credit monitoring services, restoring and upgrading data and systems, legal fees, IT consultant fees, to name just some.  If your vendor agreement does not spell out who pays for these costs, you may be forced to pay them. You may then have to consider suing your vendor, but without clear contract language, it may be very difficult to win such a lawsuit.

Given how interconnected businesses are today, this is a serious and growing issue.  In the next post, we will discuss some of the ways you can protect your company when contracting with third parties.