[BreachExchange] The digital age threat facing retailers and other high-risk data organizations

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 18 20:16:18 EDT 2018


As more retailers adopt an omnichannel strategy, there’s a valid concern
within the industry regarding the trustworthiness of data handling and the
integrity of their technology partners’ systems. Even with the purest of
intentions, the vast majority of technology providers are leaving their
clients extremely vulnerable.

For example, looking back at Target’s now infamous 2013 data breach, it was
Fazio Mechanical, a humble and by all accounts innocent refrigerator
sub-contractor, that was revealed as the access point into Target’s vital
system credentials. None of Target’s firewalls, encryption and secure
access devices addressed the weakest link in their security chain: a
third-party vendor who harmlessly serviced them. After the vendor was
infiltrated, hackers spent two weeks scraping and dumping the data of
nearly 70 million credit cards to sell on the black market.

Because most retail organizations have some degree of sensitive digital
information, key decision-makers must be wary of threats that can enter
through all stages of a company’s supply chain. While operations can be
outsourced to third-parties, the accountability for operations cannot. It
has been shown that whether the breach originates within the institution
itself or solely by way of a contracted vendor, financial costs aside,
consumers voice their mistrust by taking their business elsewhere.

Organizations with the highest need for risk mitigation are those that
store non-public private information such as SSN, medical, financial,
proprietary and private information about real individuals. But in this day
and age, there are few companies that aren’t at least on the verge of
capturing that data even if they don’t realize it. The value of the data
collected can quickly increase as multiple collection points are combined
together, and it is not enough to simply secure the most obvious targets,
such as credit card databases.

Assessing Risk with SOC Reporting

Developing a formalized process to assess third-party service provider risk
can contribute substantially to a company’s bottom line, and the relief is
that the most effective measures can cost next to nothing. Organizations of
all sizes should request each service provider present a security
assessment report that lists the security controls they have in place,
including the last time they performed a security review. A SOC 2 is an
auditing procedure that ensures your service providers securely manage your
data to protect the interests of your organization and the privacy of its
clients and it is regarded as a minimum requirement when considering a SaaS

Any service provider that has access to non-public private information
should achieve at a minimum SOC 2 compliance, meaning that it is compliant
with the following five Trust Service Principles (TSP); security,
availability, process integrity, confidentiality and privacy.

Not only does achievement of SOC 2 compliance demonstrate data security,
but there are significant practical benefits of working with a service
provider that is SOC 2 compliant including:

A streamlined audit process

While audits are never an enjoyable experience, having a service provider
that has already demonstrated compliance through SOC 2 eliminates at least
one of an audit headache by making the process easier, smoother and faster.

Stable operational rigor

Compliance with the TSPs is monitored over a period of several consecutive
months, providing proof to third-parties that the service provider has
established compliance and continues to meet these strict policies over

Access to greater service provider information

The process of attaining SOC 2 compliance generates a report that is
accessible to the public which provides an overview of their effectiveness
and compliance with the five TSPs. This report provides greater insight to
a service provider’s systems and operations and allows potential technology
partners to assess whether their security systems meet their standards.

With the increasing ease that hackers have with infiltrating systems, it is
imperative that information security no longer remains just an internal
effort, but instead must be accounted for in every stage of a company’s
supply chain. Security must be a top criterion when making technology
investments and now can be quickly and easily assessed with a SOC report.
Retailers that take the time to allow a simple probing of their third-party
vendors will save them immense costs in both dollars and loyalty.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180518/318bd1c7/attachment.html>

More information about the BreachExchange mailing list