Third-Party Vulnerabilities and Careless Risks
There are still some surprising cyber stories out there, just as there are data breaches due to weirdly baffling oversight. Imagine, a company being so careless as to give potential customers a look inside the secure network of an existing client, during its very public product demonstrations. That is apparently what happened with cybersecurity startup, Tanium, Inc. During demonstrations with potential customers, they highlighted their product’s value by showing it working in real time…on the network of El Camino Hospital in California. Put at risk were security vulnerabilities, server names, antivirus software information and personnel data.
Unfortunately, El Camino was not made aware of this, and so could not have given its permission.
Apparently these demonstrations were given hundreds of times before Tanium put an end to it and, just last month, issued a public apology. Ordinarily, according to the company, they “do not have access to your on-premises installation of Tanium, and won’t ask for it” outside of support purposes. However, in this case, they admit that they “should have done better anonymizing that customer’s data.”
It’s a striking revelation all the same. For all we talk about insiders being one of the top threats in cybersecurity, it’s important not to overlook third-parties as well, and the vulnerabilities they present. It was, after all, a third-party refrigeration contractor that accidentally led to the monumental Target breach in 2013. We have gotten to the point where this is a much more common occurrence, and a subject that should be discussed and strategized for at the board level. Those who continue to relegate cybersecurity to just an IT issue, withholding staff and budget across the whole business, face a losing proposition.
As do those who only go so far as to meet the bare minimum of compliance. For every new legal regulation written, it won’t take long for real hackers to find and exploit a new vulnerability that could have been discovered with a little more attention to detail.
The right attitude is therefore just as key in cybersecurity decisions as having the tools and tech. Without it, careless actions will abound; and do we really need to pile on to the frequency of data incidents with silly mistakes?