Another day, another third party security compromise story… this time it is Indian outsourcing giant Wipro. The firm has confirmed that a small number of employee accounts were compromised as the result of “an advanced phishing attack” targeting a dozen customers. Apparently, the compromised Wipro workstations were used to gain access to customer networks for further hacking.
First things first – did you ever notice that every successful phishing attack is described as “an advanced phishing attack?” I don’t know what the phishing email sent to Wipro was like, but I am sure that not EVERY phishing attack which has forced a company to issue a press release was the work of evil geniuses. Given the high profile of Wipro customers, it is quite possible that someone put the time and effort in to make their phish “advanced,” or even that the attack was state sponsored, but for the most part, people seem to fall for simple phishing attacks too. Not to pick on Wipro, but seeing every phishing attack described as “advanced” or “sophisticated” is almost as annoying as seeing the phrase “Security is very important to <insert names of hacked company here>.” But I digress.
Wipro is an established and well regarded company. I am sure that many of their customers performed the kind of security due diligence that all prudent companies do. They sent them questionnaires about their security practices. They talked to other customers. Maybe they sent a team of auditors to India to meet with their security staff and give the place a look see. Yet here we are.
This incident shows the fundamental issue with third party security reviews. We all have to do them in order to weed out obviously inferior companies from our supply chains. We all have to do them to satisfy management, shareholders, regulators, customers, auditors and other stakeholders’ desire to reduce risk and show that “security is very important to <insert name of our company here>.” We spend lots of time on these reviews, asking questions, following up, writing reports, repeating them annually. But in the end, the difference between whether a third party supplier has an incident or not is what happens when the least security aware (or most harried/distracted) employee does when they have to make a decision and when the attacker is smart enough to have gotten through the first line of defense.
Should companies who chose to do business with Wipro feel like their due diligence process failed? I don’t think so; I would bet that Wipro has many satisfied customers and has taken care of lots of confidential data perfectly well. Hopefully, they will have learned from this incident and will make further security arrangements.
What customers and potential customers should be looking at is what Wipro (or any other third party who has had a breach) does now. How transparent were they? What steps did they take to detect, contain and recover from the breach? What new security measures are they putting in place to prevent a similar incident in the future? How are they training their people to make them more resistant to such an attack?
According to security journalist Brian Krebs, Wipro’s response to the breach has been lacking in a number of ways. But when I read his critique, I can’t help but feel for the folks at Wipro – they were in the center of a media storm and did their best to manage the high level of press interest – the lesson here is that a crisis communications plan is a must.
This is not to say that third party vendor due diligence is a waste of time; it isn’t. It can identify disconnects between the security posture of a potential outsourcer and the needs of your business. It can winnow out companies which are not enterprise security ready. In the best cases, it can help the third party understand your business needs and improve their security to meet your needs. But it has its limitations – even companies with the best security programs can fall victim to human weakness.
All the more reason to look at whether potential third parties have an effective incident response plan – and to incorporate the possibility of a third party vendor breach into our own organizations’ incident response planning. And remembering that no matter how much due diligence we do, humans will be humans.