Know Thy Vendor

I have been thinking a lot about two cyber-attacks that occurred over the past decade. In 2013, Target was hacked. Credit card information from 40 million customers was compromised. Target ended up settling for $18.5 million. In 2015, Russia attacked our electrical grid. While it was caught without too much damage, the consequences could have been catastrophic.

What did these attacks have in common? The hackers attacked their prime targets through contractors. Hackers found weaknesses in companies that Target and the power companies were using as contractors and exploited those vulnerabilities. For Target, it was an HVAC company and for the power providers, it was a site excavation company. These contractors were non-tech companies for which everyone underestimated the need for cybersecurity.

So if you are vendor or service provider to another company or you use vendors or service providers (that includes your lawyers and accountants), you should be thinking about cybersecurity. Have you or your vendors done assessments? Do they have a cybersecurity policy? Are they implementing and monitoring controls? The era of “we’re fine” is truly over especially in light of the massive digitization caused by the pandemic.

DOD is already being proactive in this area. They are beginning the implementation and enforcement of cybersecurity standards for all contractors in the supply chain by 2026. There is the distinct possibility that this could be extended to the entire federal contracting community. If you are a DOD or even federal contractor, there will be a regulatory reason for taking cyber-security seriously.

In the end, it boils down to one maxim:

“Cybersecurity is not One-Size-Fits-All but everyone definitely needs it.”