It wouldn’t be out of the ordinary if you were notified that an employee who had been let go was filing an unemployment claim. But if that claim concerned an employee who was still happily employed, you’d know that there was a problem. And if that employee was actually the president and owner of the company, you’d know for sure that someone was trying to commit unemployment insurance fraud.
This is a true story. How did it happen?
As of this writing no one knows, but the information leak likely had to do with one of the company’s vendors and their inability to safeguard the personal identifiable information that they keep on employees.
Vendor Accountability for Security
Your vendors are just as responsible as you are to safeguard the data that they gather and store on your behalf. If you’re not requiring them to be accountable for security, then you’re opening up your organization to a whole new level of risk.
Accountability for security isn’t anything new. Many industries like healthcare (HIPAA) and financial services (PCI-DSS) have had mandatory regulations for data privacy for years. More recently, the Department of Defense (DOD) has started instituting Cybersecurity Maturity Model Certification (CMMC) for its supply chain to verify security of Controlled Unclassified Information.
What the DOD is doing with CMMC could be a sign of what’s coming down the pipe to many supply chains and vendor networks whether they’re in regulated industries or not. This is because self-certification of security doesn’t work. Verification is the only way to get consistency and accountability.
Value of Data and Network Connections
Remember the big Target hack back in 2013? The data of 41 million consumers was exposed because of one of Target’s vendors, specifically their HVAC company. In the wake of the information theft, Target has paid out millions of dollars to affected consumers, and we can only guess at the extent of the negative impact the incident had on lost sales and their damaged reputation.
Your company may not be as big as Target, but you’re still a target. (pun intended)
Cyber criminals want to steal, corrupt or kidnap your data so that they can monetize it. In the case of the unemployment fraud, there’s someone going after a weekly check. Often the criminal who steals the data puts it up for sale on the dark web where it gets sold.
According to the Privacy Affairs’ Dark Web Price Index 2021 a valid US social security number sells for about $2 on the dark web. We can imagine that this is where the unemployment claim fraud started. Multiply this ploy by the thousands and you see how a $2 piece of information can lead to a huge payoff for the criminals.
In a similar way, access to computers and whole networks can be sold. One bad guy gets in, and then sells to another who will drop ransomware or other kind malware, or snoop around to get the information they need for a targeted phishing attack.
Use a Security Framework for Vendor Accountability
Organizations like the Department of Defense found out firsthand that self-certification for security doesn’t work. When they decided to tighten up their supply chain security requirements, they determined that they needed a framework, and that’s what you’re going to need to too.
A framework will provide you with the standards, guidelines, and best practices that you expect your vendors to follow. It also clears up communication about security by getting everyone on the same page.
A framework is not a checklist although it might look like one at first. A framework will list different security controls but there are different ways that the controls can be implemented.
Getting Vendors Onboard with Cyber Risk Management
Detailed instructions on how to establish a system for assuring vendor risk management is beyond the scope of this article. Our objective is to stir up awareness that the companies you do business with can pose risks that you might not have considered.
Do an audit of your vendors and get a firm understanding of what data they store. Have a conversation to find out what they’re doing today to keep it secure. Get your IT team involved to help you ask the right questions, interpret technical terms, and assist you in bringing visibility and management to your data wherever it might live.
XPERTECHS Expertise in Security and Compliance
XPERTECHS is a SOC 2 compliant company. What that means is that our security practices and procedures have been validated by a third-party for effectiveness. We understand how the technical and nontechnical layers of security come together so that our clients can put up a strong cyber defense and avoid the devastating impact of a cyber attack.