Exposed: Getting Control of Your Vendors Before They Expose You

but we didn't really have time but yeah we're talking about vendors today I'd like to tell you why I think they're the biggest security threat that you have to deal with right now

so first I'm Dan Browder I am an information security director at a regional bank based out of Omaha oh yeah well the one of the large building yeah okay what'd you do there okay that's fine but I've been in IT insecurity for about 20 years now and vendor and third-party risk manager has been a passion of mine for the past few years and while there are a few different areas of third-party risk management you can get into you can get into financial risk in the reputational risk we're gonna focus mostly on in the context of information security so um first I want to talk about a bird we had some birds that were nesting on

the porch just a couple weekends ago was setting up for my daughter's graduation party they set up a nest on my security camera and that was a bad idea because I I need to recharge that security cameras it's a battery-operated thing and I just didn't want my force you are making a mess so I needed to deal with it got a ladder out went up and looked atop the nest there were no eggs there were no little birdies in there so I thought okay we can get rid of this take the nest down clean up everything good to go I figure they'll move on so the next day they come back and they're still building another nasty this thing five

I'm thinking this is a bad idea I try to reason with them I tell them hey go somewhere else go move to a tree or something we've got a nice tree out in the yard you'll be happier there that's where birds should be shouldn't get on my security camera so I knocked down this little nest building again and they were just really upset about it they keep coming back with some straw and some dirt inside there it's either beat so I'm thinking this is this is bad I end up taking down the security camera there's nothing for them that's not anymore they're flying back and forth just outraged they don't know what's going on and they're just wondering why is this

gone why can't be nastier why are you doing this to us and I just shoo them away finally they end up leaving and I figure they're gonna go make a nest in the tree where they should be be happy so I was in downtown I was in Indianapolis at Circle City Con and there's some bad storms coming through Omaha and my daughter sent me a photo and it was our tree I think I'm broken down and I thought I'm terrible I'm a terrible bird Guardian here I told him to go move into the tree and now the tree got yeah and I'm thinking bad what have I done so right so in the end the birds were smart

week later talking the neighbor and say oh you have some birds nesting up there and I look and they're on top of my gutter underneath like well that's a fine place it doesn't bother me here so the person what they were doing so anyway I'm telling a story about it nesting birds and the play I'm trying to make is that you can have an amazing nest but if you're fundamentally flawed in what you do to build it and the support you put underneath it then everything is to simply risk so on your network I know all you have brilliant employees that would never ever click on a fishing link and you have impenetrable external controls no attacker is gonna

break in under any circumstances you have such a pristine environment that everything is monitored tracked and managed you know every device in your network right but but I don't know how that helps when you send all your most sensitive information to Tito's law firm now I was just searching the internet for shady lawyer pictures and do you mom I really don't know if if you know if if it's warranted and I don't want to pick on Tito I mean we can trust it right so they can trust his dogs trust it so he's got to be a good guy and I wish Tito nothing but the best but um it also says he's a personal injury lawyer probably

doesn't work for your company but you know we're just gonna say now that lady chinos and working first for 20 years and 20 years ago he kept all his files in a nice fireproof cabinet and paper everything was good and he was in his office he locked his door patitos not stuck in the past he no has gone digital and he has an assistant now we built him a website and you know don't even uploads customer or is that cases that website so his clients couldn't have access to him and that's great and it's all built on an unsecured Amazon s3 box that's wide open oh it's three pocket so lawyers are the worst of this sort of stuff they have

tons of information and they know nothing about security so they're just there to save you like that but you know it's fine right this is just normal day-to-day business this is what we expect last week there was a report and it was saying that China had stolen sensitive data related to naval warfare from the computers of a navy contractor and you know but it says officials visual said the data gleaned by China was unclassified all right unclassified that's not important I originally had more examples and reports second here but you guys know this you know you know that people are bringing being breached every day you see this all the time point-of-sale systems HVAC controllers

payroll processors web host there's nothing new here this is all normal [Music] my screen resolutions weird over there but I don't know why we need to focus so much using our network security even the bad guys out when we don't focus that much on our vendors and if they're doing the same thing so are you okay with it I mean your company's not doing a ton of shady I'm sure but you're still something to protect that's why we have jobs that's why we're in security there's something to protect so it's what we do we're all blue team no matter what team that's that's the phrase so what you have to protect I mean is it

customer information trade secrets IP confidential documents maybe design documents credentials as it access to your network is it something even more critical that's you know so any of those things in our being outsourced everything's being sent out to a vendor so are you okay with this is your boss okay with it is a CEO okay anything our regulators okay with it I mean if that gets breached are your customers okay with it no they're not because we're security they're gonna hold us responsible if there's a breach it's our job so in finance you have a lot of regulations sums you feel like you're overboard and with them but every industry is is regulations there's always something out there that affects

you you know SEC CFPB financial regulations HIPPA federal regulations GDP are in Europe if you're working in Europe then you have industries like PCI China has a new cybersecurity law that ties in that is all of them have components of managing your vendors imagine your third-party risk and you know you can google the regulation the regulator name and third-party or subcontractor or outsource and it'll give you the details of what it is each one is a little bit different some of them are more detailed than others some of them really have different different understandings of what a third-party is it might not just be your vendors it could be you know a partner that you

have some sort of business relationship with but you know it all kind of ties together so what since they bear with so much detail what do you need to do and how can we get it under control well first we need to find out what you're protecting and what's important to you you can start with saying do you have anyone who has remote access to your network I know I'm sure you don't because that'd be bad but you know if you do make a list throw them in a list if that vendor can get into our network and it might be locked down you might need to you might know what exactly they can have access to so document that too

if you have vendors that you're sharing information with sensitive information do the same thing put them on a list what do they get what are they getting there how are they getting in where is it being sent out from do you have systems ascended algea systems internal control that so that's what you know that's what's easy you got technical controls you can look at and see what about things you don't know and the way to find out what you don't know is that so you look at these shadow vendors these shadow IT vendors or just shadow data vendors and you wonder where are they coming from somebody in some line of business wouldn't signed up for

a website and start uploading documents to it or you know maybe you prevent that but but there's always something out there so go to finance or the finance people and say who's getting a recurring payment give us a report of anyone who's getting recurring bills and then compare that year the list is there anything that is on those lists that you don't see elsewhere there probably is and when you combine the list you can categorize them as best you can so you can say how many of these are technology vendors how many are internal software how many is sharing data with how many might be facility user support services or even cleaning crews they're coming

outside and how many other ones do come on-site regularly what do they have access to when they come on site as InfoSec folks are really good at this even though it's more of a risk thing or really good this because we're naturally curious and you're kind of hacking your business in that sense where you're looking to what does this business do why do they do it and where does it go what's next it's kind of the same realm of looking into software and hacking software or doing a penetration test so you put them on the list you make an educated guess of what they do that's your starting point and based on your business you may need

or want a policy and the policies just cover covers why you're doing this what you need to do and who's accountable for that and unless you were specifically tasked with getting vendors under control which you might be it's becoming more popular and more threat you're gonna need buy-in and you'll need buy-in from leadership to say this is something we need to do you need buy-in from the business to say you know because you're gonna be harassing their vendors basically people they work with and their support services and you need their buy-in to say okay yeah this is important so it's a lot of discussions going back and forth and figuring that out now my organization we

already had something in place for this but I've always felt I didn't do it enough so I've been pushing for years and years to do more and more and I've written and rewritten our policy a number of times and it's just constantly evolving it's like any aspect of security there's always something new you can do after you find out what you're doing what's next if your this is your first foray into third-party risk you should move slowly and do what you can you might have a thousand vendors or ten thousand vendors you can review all of them you have to use those categorizations to figure out what the highest risk is and go from there

but what exactly do you do and that comes into procedures so we're basically going to be auditing our vendors and some of them really fine with this some of them have a compliance packet they'll give you with the questionnaires filled out and all their certifications regulations are they they went through those vendors are unicorns they're very rare and they're great to work with but most your vendors are allowed of your vendors are going to fight tooth and nail with you and they're not going to want to do this and unless you have contractual controls in place to force them to it's going to be difficult so with a lot of lawyers what's on paper is all that matters to them my boss

lawyer I work with lawyers on legal team first new heads of art risk areas lawyer any of this stuff and I am in a room with like four lawyers and I'm IT background it drives me nuts that all they care about is the wording of this the wording bad but you know when that comes to your vendors that's kind of important so hopefully your contracts have language in them holding your vendors accountable they need to be held to the same security standards that you expect of your organization and you know even if you have in there do they need to meet best security practices just something that you can use to leverage the situation you likely have the right

to audit and that goes into the questionnaires and you can say well I have a right to audit you in my contract and some of these things you can put in there upfront when you set up this contract and sometimes sometimes when they revise the counter if you put it in there you also want any breaches if there's any vendor breach but they have your information or they their systems are breached you want to be notified of that and you want to be notified right away from them not from your costumers you don't want them to notify your customers you guys got to figure it out so uh work with your business folks and legal teams it's not fun but they're the

ones who handle this and if a vendor doesn't have this information in their contract the next time it's up for renewal review get it in there if the business or the vendor brushes you off because it's not in a contract may say we don't have to do that then we put the vendor on another list and that's a list for replacement so this is where you might be saying I don't have that power I don't have this way to tell somebody in the company that you can't sign that contract that's fine you guys need to find the person who does so you talk to them about the risks and where the data lies and you don't

need to be you know you don't need to scare them it's realistic we're not an immediate threat hopefully hopefully you're not doing this in the middle of a breach you're just you're just talking about potential wrists and everything in business is risk so we're just trying to figure out what that risk is and in how to Kat how to quantify in so you tell them what will happen when something goes wrong so this vendor is all this information and it gets out there what's gonna happen to the business you write all that out and you have whoever's a stakeholder here sign a document saying they accept that risk on behalf of the business and and when they do that goes

the appropriate people and when something happens their names in the line you don't want the default back on you and security saying this vendor was breached and used to come back and say I know they were risky and business signed this acceptance so now we've gone through and we kind of have a policy in place that says we're going to audit the security and soundness of our vendors we had good procedures to do this or at least a start let's start of something so we're gonna dig up some dirt and all of you right now our auditors which I'm sure you want it to be so so we're gonna look at those list of vendors and we're start

breaking them out by risk so who causes the biggest heartburn you start with those vendors the worst of the worst and you add any that have reached or a change in information you say what do they do for us what type of information they get are they an ASP who hosts that information where does it go and you get whatever you can from the business and and then you just follow up with what you can from your own research we're going to use that information to determine what to ask the vendor so the first and most painful thing for a vendor and for you is a questionnaire you can the questionnaire can be using in general security controls just just

every detail this you think you should be doing at that vendors to be doing is in your questionnaire you can create your own you can ask do you have firewalls do you have antivirus do you allow USB access but that's that's that's gonna get old really quick we need something easier to do this so there are a handful of questionnaires out there first one I put some up here I don't like with a lot in this life but I can put out here assessments or they do the shared assessments say it is a super long questionnaire and it's huge in this fact that it is up to six sixteen hundred questions I send that to vendors all of

them sometimes depending on the scope of the vendor and they come back and say we've never see anything like this okay great you can tailor that down you can scope it down like a hundred or less any of what you need it is a standard it cost quite a bit I think it starts like $7000 for a license and it's just an excel file you're paying for the information you can also join their their their their group is a member and you get access to those things in the training and and certifications cloud security lines is also a large questionnaire it's really useful for cloud service providers if they're giving you that sort of information a lot of them pre-populate

this and actually publish it online so you don't even have to ask them you can just kind of get it right up front if you don't it's a free questionnaire you can download from their website you can send it to your vendors but it is focused around whether they're providing some sort of cloud services vendor security lines is the more generic one it's a lot simpler and shorter and it's also free but it covers the basics if that you're getting started and then for hacker types github or Google has a questionnaire framework that they published on github and they open sourced it so it is this has some security questionnaires built in and built in JSON within the actual

framework you can download and you can load it up on your server or you can load up client-side and just kind of build your own questionnaires based on that if you have a GRC tool for like governance risk compliance a lot of them have third-party questionnaires in there some of them don't focus on security some of them focus on you know reputation risk location risk financial risk and they're not asking deep security questions what the vendor does but if they do great you can use that and I just be cautious with any of these to make sure that what you're using is relatively recent the share assessments that used to be a different organization called bits and they published a free

flash near I free I think was years and years ago and some people still use it I think it's really 2007 you look at that questionnaire and a lot has changed since then a lot has changed in 10 years and technology so make sure nothing you're using is like five years old so we get the questionnaire back and you know that's a struggle you know in and of itself because the vendor doesn't want to respond are they responding correctly but we'll say they have a security policy and instant response plan that's great so you can ask form you can ask for their policies be surprised how many vendors will just give you everything and that's great

I got a vendor last week and they gave me screenshots of their winders diff Windows Defender they gave me screenshots of a docker containers CPU and RAM utilization I don't know why they gave me these things I didn't ask for him I thought that's interesting has nothing to do with my superior evaluation but they gave it to me they didn't give me anything I did ask for that was a problem but all you're doing here is you want to see these policies if they don't give you a policy it's a lot of people to say that sense did anyone give it out maybe I'll give you a table of contents or they will let you

see it over WebEx you don't need to get into the details of what the policy says you're just trying to make sure that they actually have something that's mature and it's not just the one-page security document and put together in 2005 you're still using which I see so we asked we have a policy but we built it ten years ago and it's two pages and nobody even pays attention to it so that gets into maturity their program so you know that they have some security program in place you know they have the appropriate people and doing some these things but the thing is policies don't protect you and questionnaire responses won't protect you because all these are

created by the vendor and they can say all the right things and they can give you all the right answers but in practice they're doing everything wrong we've seen that with some offshoring vendors you know they'll give you this information and all these policies look great and then if somebody would go on site in India it looks like they set up shop yesterday and they don't know what's going on so you just take these as bits of information and they need to make you more comfortable with what the vendors doing that's all it is right now just just information pieces together so we want to look for something that's outside validation of the vendor and

that gets into their certifications and some other things here certifications are easy are they ISO 27001 certified are they PCI valide are they cloud line star certified they have other certifications they might not give you a lot of detail and I'm sometimes you'll just get a certificate saying some water tour signed off but all that really means is that somebody came on site and validated a set of controls within a certain time frame hopefully within a reasonable amount of time frame and they keep that updated to data point so if you've been through these certifications you know you know that quality of Assessor varies so some of that has weeded also you can bring somebody in to

assess you for a certification and they go a lot easier than somebody else and again the vendor is paying for these certifications if it doesn't work out they're not going to give you a report saying it's bad if your vendor provides tech services will they give you a penetration test on those services web services even software they're doing code through the code review a lot will hesitate but if you keep pressing you'll often get something I mean if there's nothing wrong with their penetration test is there any reason why they won't show it to you I mean if they've remediated any issues in there why won't they show it to you what's the concern at the very least you should be

able to get a summary of the report any highs and criticals and whether those have been remediated something in writing story documentation now some vendors like give it to you they'll give you a nice penetration test they have done some vendors will give you an esse scan and it has no remediation or or no validation that those are even issues just could be their internal memory the external network who knows I take that as another data point I take that as the data point saying the vendor doesn't know what a penetration test is it's usually a bad sign aside know for a geek like me who doesn't get to go hands-on too much I like reading through the penetration

test I'm just likely to see what all the hackers here actually are doing so that's fun we get into audits cloud paper here I don't give much weight to internal audits because you don't know the independence of their audit function so I'm looking for something external I'm looking for someone who came from outside and review the controls of their systems I usually ask for an sSAE sock rapport sock to type - that's kind of a standard in the US and it's a report that's supposed to be for internal use but most vendors would get it done they're doing it for you to give to you and they will most much the report is useless what you really want to see is

what the auditors opinion is whether they see any issues and whether they've stayed in the report you also want to see if there any exceptions to the controls test there's a whole section on we tested this and found this we tested this and found this if there's an exception there should be a response and if the vendor responds maturely it's not such a bad thing [Music] the sacre-coeur is like a penetration test in the sense that some things go wrong there's always something wrong we want to see how it's corrected and and how they respond to it and you know that they do so maturely so sometimes you'd report where the vendor argues with their auditor in the

report they paid thousands of dollars for and then give to you freely I just get a bag of popcorn and I try to think why the hell did you do this I'm just reading this report any popcorn it doesn't bode well for how they would handle issues that they're arguing with themselves or even with their their auditor in the report that they gave you so we've gotten policies procedures and guidance notes and audit reports what other sorts of information can be used to validate this vendor and see if they're they're trustworthy this gets a little bit into OSINT open source intelligence but we're not doing that individual we're doing a business so I don't know if that's the same thing

but you know start with some Google searches reputation risk if they any recent data breaches is there any locations they have that are strange look up their IPs and see you okay we have IPS in Asia but they said they don't do any outsourcing why do they only knows what's what's the reasoning there there are tools that do this also and they perform monitoring on other there are general tools you can use to research for them there are tools that it took before modern matter and third-party vendors so some of these are like security scorecard side of its recon they basically take a list of your vendors and they scope out the IP ranges they scope out any sort of

vulnerabilities that they find through honey pots and things like that and then they give you a score they also do some external scanning non non-invasive scanning to do that and you know and if sometimes you can take these reports you can give them to the vendor and say why do we see all this on your network or why do we see all this coming from Ikeys you know not on your network we're not on their network well yellow and you say why are you pen testing me hey I didn't it's just just a public scan that somebody else is doing but you know they'll hopefully take that away and be able to give you some responses to

especially some of the things that might look a little more critical and often than more often than not there's a lot of false positives there they're just straight-up scans and but you can still use as a piece of information again so most your vendors are only gonna be rating or eighty percent and then you come across one that's addy and they're like forty percent you know there's something there there's something and it might be something as small as they have operations in multiple countries one of their countries down in frontier town of Brazil they're really terrible but the US operations are completely separate sure the overarching organization owns all those addresses but your data in the

USDA Center is never asked and hopefully they can document that for you so let's see if I remember this slide I was looking over the description of the talk and I put something about future state and so I realized it was going to talk so I threw this today I doable on notes we talked about those last vendors they kind of do continuous monitoring so most vendors assessments you're doing when you first on board a vendor that's probably the standard that everyone was a little bit of many you should be doing and regularly based on the risk whether it's annually whether it's every couple years it depends on the risk of your organization there's tolerance but continuous miner

is where it's going so with these vendors and other organizations are working on continuous monitoring ideally you'll get to a point where there's a breach of this vendor or there is some sort of change you'll get an alert immediately and you know when your third parties of issues that will all come down into a data feed and I know we love data feeds because we get so many data feeds in security but it could be useful if there's a vendor what if you're a vendor so you're on the vendor side and a client ask to put a box on your network to monitor the security of your network and report back to them there is

a vendor out there that is doing this pushing this and selling it that you can use it's kind of cool it's kind of scary I know some organizations that the healthcare one that's using that and they were really recommending in so most of these tools just look from the outside in but if you can get that inside view or something like that on a regular basis and sort of data feed that would be great we all are getting into the fact there could be actual shared assessments there are more user groups coming together where they want to assess their vendors as a whole these common vendors that everyone's using and get a response back there's also the

ability to say a vendor can go out there and just publish an assessment to everyone and you just send it out to all their customers it reduces the work on the vendor if they're taking this shared assessment and it reduces the work on everyone who's collecting that information we don't need to be doing everything differently ideally we'll get to some point in the future where everyone will kind of be standardized and this process will actually standardize we'll know we're doing when we get there hopefully we'll know we're looking for and it'll just be an easier process but until then we're really working on the questionnaire basis in the day-to-day so now we're at the point

you got it you know everything there is to know about the vendor they have some issues they always have issues but you need to determine what's important look at the slides so if a vendor doesn't before so I know an organization that really cares about training training and awareness and if a vendor doesn't perform can you'll train that's like number one in their list of things to tell the vendor they tell them we need to do this tray you need to do this training you need to report back to us that you've done it and that everyone's taken it I agree training is important wouldn't be my number one item on a list but that's what that organization decided

was for another one I found out that you know although this is not in common offshoring is a big no-no everything needs to be within the US and if there are any support services offshore that's an issue now some of that's difficult you don't know that the vendor might up front might say everything's internal in the outsource they're supposed to tell you in the contract I mean that's you lose me you want to have in there but it's off more often than not you don't hear about it until you try to come back and do an assessment so if regular penetration tests are important to you maybe the vendor that's penetration test every year and for this specific

application you think it needs to be done quarterly because of the wrist there's a hard cost there they need to have somebody come in and do that so are you based on your risk tolerances near business decisions willing to pay for that penetration test that's a question you have to ask pay for it for the vendor or pay the vendor more to do it so those are questions those are hard questions that only your organization can answer and it's based on your risk tolerance so when you have these those answers you have to document it and you have to document the issues so you take all the issues you put them in a stack and you bend the vendor over the head of

them and then or you just ask the vendor nicely to correct them you put time lines on it you notify the internal stakeholders who work with the vendor you say those stakeholders are responsible for correcting the issues and if those issues aren't corrected then you escalate you just want to be sure that whenever that vendor is breached but there is something that comes back and says you know security you weren't the ones that took this responsibility on yourself somebody else that this is a business decision we're willing to make in order to move forward so then you get the call I try to do this hi this is Dave from finance our Callen just called and said a hacker but

a handsome bear on their server and payroll is missing can you call him handsome bear ransomware I don't know my favorite slides you so that's the start of a bad day your vendors breached but I mean the good news here's they called you and maybe they called you in a relatively reasonable amount of time back weeks months later but often you'll you'll not get noticed for days or months and and that notice will usually go through through a generic letter that comes through their legal team and is sanitized and then goes through an account representative who doesn't know anything about what's going on

so we have to deal with it McGill these issues so some of the examples that I have here you know I mentioned an unsecured AWS bucket has three bucket at the beginning is just kind of a joke with Tito's law firm that actually came up with something I was talking to one of their vendors it was a mom-and-pop shop and pop did all the business work and work with customers and I'm did the technology work and she somehow got in the plane where she was you know creating this three bucket and putting all the information in it pop didn't remember passwords he does no good with it so they left it on opens that he just

a clickable link that was found and that really you know it exposed that company based on that how about a law firm and you know law firms are terrible I mentioned that they're worse but they're our law firm a espy's lot legal a espy's that provides services law firms so they don't have to keep everything on their network so say you have a law firm that does that and their networks terrible so they realize we should put it up in this in this cloud provider well they don't do deal with due diligence in that cloud provider they didn't tell you they moved all these place cases to a cloud provider so basically what you do is you

have to find out what that cloud provider does for you that fourth car that you don't even have a relationship with and work with them to make sure that they're secure but if you get it ransomware on a non-critical system that's managed by a vendor say I mean really nine critical it's it's it's a marketing success on that isn't any data on it it just it can be straight brought down and just white is that a big deal what kind of I mean they're providing the services to you you're paying them to to manage the system and monitor it so it's kind of still along the lines of you need to you know you need to hold

them accountable for that data isn't lost you don't worry about a breach but you still need to go out there and say what happened and get them in response to get responses from you and and those responses can provide data - they can provide information on that vendor maybe they're pretty good at responding and then they just follow up the map for three or four weeks I'm saying that's happened but you know if you see that well wait why why didn't she get that final report so you harassed him you finally find out the guy who is doing it went out for knee surgery and there was no one else that knew how to manage e systems I mean

again not a critical system but but I mean isn't that important you have some sort of somebody there back to mom um so you get mallet vendor gets malware they send out and notice their customers say and you know we have an outage due to malware that's that's good they told you it's in how it is active right now but you hear malware you're thinking well what what I have my data to get exfiltrated something fill out and you harass it or ask them they said they'll provide updates every four to six hours I know when you're doing this when you actually have an instant that seems kind of reasonable but when you got customers

counting on you and you're telling them stuff you're scaring the crap out of them you need to know what the heck you're doing and actually provide proper communications back and forth so there is an extremely large firm who had a breach and give vague assurances that none of none of my data was was at risk you know this is where they're the big fry or the small fry and they're not gonna really do anything for you but when you send them a certified letter from your legal team and you conduct their C so I send it to their seats though and you just keep going up the chain till you get some sort of response

maybe you can get a phone call so you get a sanitized letter saying okay this is just what happened on a very basic thing that sponsor legal get the C so on the phone or somebody that's responsible they can actually give you the details they can go through it and say this is why you're not at risk they targeted the attackers targeted these five other organizations specifically you could have something where it's like a technology vendor that you just signed up you know you went through all your due diligence everything looked great and then they get breach they're in the news like the day afterwards and you're thinking what happened what do we miss you dig into it it's just you know it's

their marketing system they didn't put that in scope for the product services they were giving you it's just where they send out their their spam from so your email addresses were in there but nothing more than that it's not really a risk but you just you know when you hear that company in the news you're like you've been breached like just sign a condom with you and she's not a good place to be in and I know I'm not using names on any of these but I'll call it Equifax we all know what help with Equifax and you know some some places that use Equifax and everyone uses Equifax in some way that does some sort

of finance they put notices on their website saying Equifax has breached contact Oz or contact them directly to this website which had you know the website was flawed and that website was breached and it was just a mess but they had kind of a shield they were big enough where they're a shield for all these little companies that were using them Equifax was taking the blame but you can't count on that some vendors are gonna be your shield and some vendors you're gonna be the shield for them you know his mentioned this morning and I try not to mention the presentation but target was one who started all this they're doing great now but they were

they were the shield for their little HVAC man there they got breached so you have to make an example of the vendor when you have something like this and to do that assume your incident response plan considers a third-party breach in the plan if it doesn't used to be working on that so activate your plan notify your internal stakeholders and then notify the vendor that you activate the instant response plan and you expect responses you hold their feet to the fire we talked about a scares speaking to the C so now if this isn't an a happening breach in real time that's going on that might not be possible there they're responding to the breach then their hat

they're having to deal with it but a lot of times you don't get these two weeks or months later at that point everything should be figured out of your research and you want to get that communication so you grab them as much as you can you're paying for a service they just failed at providing that service there's no being nice here you should demand answers you can withhold payment you just do what's necessary to find out what happened and in many instances you know this could be a material breach of contract I'll let you know finally after you've beaten them up and you decide to dump them or ensure that they fix the issues you need to do one of the other

dump them or ensure they fix the issues but sometimes you might even have to help them fix it depending on the size of this bender I like to say those vendors we don't need but everyone's got a purpose so it comes down the risk tolerance your organization that we talked about and how well the vendor handled the breach so breaches happen they're gonna happen everywhere everything we're doing here is to limit the impact in liability to you and the organization and ensure it's handled in a professional manner so when you're done you're gonna notice they're glaring holes in your process they need to be fixed so you may be your instant response plan really didn't accommodate

a vendor it was only going to provide information every four to six hours or maybe you need more controls in your contract maybe you need insurance coverage for this type of event or stricter reviews of vendors and you know you might just need to get new vendors and they're always lessons to be learned that there's not then you probably miss something so through all that still work here I mean I guess that's great you weathered a storm of a vendor breach you got your executives on board and you have a strong third party risk management program now and we even hired a whole team to work with you isn't that great you control the purse strings of the

organization and the whole company knows the importance of coming to you when there's something when they're before there's a contract being signed so you're the hero that's what we like to think and hopefully that's the case that's the way it goes because you don't want to be the one who catches blame when something goes wrong so that's pretty much it for me I'd like to thank you guys for coming I think these sides this is my first talk of done in public but if there's any questions happy to take them otherwise I'm gonna get you out of here a little bit earlier on time ish all right thank you go get some ice cream

you