It came out last week that a third party vendor was the launching pad for the Target attack. Then it comes out that this vendor was a heating and air company! Talk about an industry that could care less about network security let alone PCI and credit cards. After hearing this news I grabbed my go to guy James Hull (http://www.linkedin.com/in/jhullwcsp) who deals with more firewalls in a week than most IT admins deal with in three lifetimes. When I told him his eyes lit up in amazement. He said that one of the most common requests he gets is to open holes for HVAC companies to get in to control systems remotely.
This highlights what anyone who works in this business knows, not one business is safe from security risks. The WSJ reported last year that every business has been hacked. Yet I can promise you many heating and air companies, as well as other construction and maintenance type companies, spend little if anything on security.
Every business, government organization, not for profit, and school needs to have their security assessed. This is so important. Don't you think the third party that had access to Target is now partially liable? You bet they are. They did not intentionally do anything, but they created an environment that enabled the bad guys.
This doesn't let Target off the hook. They should have known better than to let a third party vendor into their network uncontrolled. This was careless and lazy. It takes seconds to restrict a VPN connection. Not taking simple steps to secure their data, and the publics information, is stupid. I hope heads are rolling at Target and they are looking for a whole new team. They need to start with the CIO for such careless business practices.