Vendor Risks

It was disclosed this week that Target was breached through a vendor that had access, it was not an internal employee or other hole in the systems. I think this is an often overlooked security measure. Some companies take steps to secure their systems; however 3rd party companies do not take equal measures and end up putting the business at risk just the same. So who has access to your systems? What measures of security do you require of them?

We received an inquiry a few months back from someone wanting a security assessment. They dealt with the banking industry. They were curious of the costs and what all it would entail. After a fe initial conversations they told us they needed it because a few of their clients were requiring it. After reviewing the costs and the potential downside to not doing it, they decided to hold off until "something happened". My only guess is they still work with those banks. This scenario is far to common.

If we want to be secure as a company we need to set standards, enforce the standards, or just say no to working with them. No one company is "worth the stretch" of basic security standards.