On October 4, 2018, Lt. Col. Joseph Buccino, Pentagon spokesperson, announced a Department of Defense (DOD) data breach that affected at least 30,000 military and civilian personnel. It’s reported that hackers gained access through a third-party contractor that maintained travel records for the department. The breach compromised highly sensitive data including personal and financial information. Travel records are particularly delicate, researchers Karsten Nohl and Nemanja Nikodijevic explain; this information can provide bad actors with detailed employee itineraries, down to their airplane seat number. A clear threat to national security.
Unfortunately, this public sector breach should not have been a surprise. Around the same time, the U.S. General Accountability Office (GAO) issued the report “Weapons Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities.” Among the weak spots were not being proactive about preventing cyber attacks, poor password management, and lack of encryption. But even if the DOD had in-place many of these best cybersecurity practices for its own organization, a network is only as strong as its weakest link. In this case, the DOD didn’t secure their third-party vendor vulnerabilities.
It’s critical for all government agencies to take notice and address this specific risk. Remote Site & Equipment Magazine reports that government, nonprofits, and the private sector all have mandates to essentially “do more with less.” Quality, productivity, and turnaround time must continually be improved with increasingly limited budgets. IT services from remote third parties make this possible.
However, CSO.com illustrates the growing threat of a mismanaged enterprise/vendor relationship, “… service providers are now firmly in the cyber-criminal’s crosshairs. Often having privileged access to multiple customer environments and inherently trusted to store and protect confidential information, cybercriminals view service providers as treasure troves. The Trustwave 2018 Global Security Report (GSR) found a marked increase of 9.5% in compromises targeting businesses that provide IT services.”
As these relationships become more frequent, organizations can reduce their exposure through these best practices:
Organizations that leverage third-party services must follow these best practices in order to maintain a value-adding partnership with vendors. SecureLink understands this challenge and has incorporated these security measures in our vendor access management platform. It facilitates credential management, multi-factor authentication, connection notifications, and real-time monitoring with comprehensive audit reports.