Third-party risk represents the “next frontier” in the ongoing cyber war, says Kelly Barrett vice president of internal audit and corporate compliance at Home Depot, where she navigated a cyber breach like it was “a blow to the head” and now tells the story of how the entity faced the crisis.
“I worry about third-party risk a lot,” said Barrett, in an address to the Institute of Internal Auditors General Audit Management conference. While the company quickly addressed a breach into its own customer payment data in 2014, the experience has led to plenty more activity to shore up more risk, she said. Third party risk is one that still keeps her up at night.
“We are sharing tons of data with third parties,” Barrett said. The company outsources, for example, its benefit plans and health care benefits to a third party, in whom she says she has plenty of confidence. Still, “when I think of all the information that is exchanged, it’s frightening,” she said, especially when considering how much of that is shared into a deep pipeline of subcontractors and sub-subcontractors.
Home Depot is one of a growing list of household-name companies that have fallen victim to cyber-breaches. When the company discovered its breach in 2014, it was well on the way to shoring up its security after a 2010 deep dive risk assessment around data security and privacy. “We did not have our heads in the sand,” she said. “The breach did not happen because we didn’t understand our risk and didn’t do anything about it.”
Cyber threats are becoming more sophisticated and calculated, said Theresa Grafenstine, inspector general for the U.S. House of Representatives, who also addressed the IIA conference. “This is a call to arms,” she said. “I promise you we are in the middle of a cyber war. We just haven’t defined it that way yet.”
Cyber crooks aren’t looking just for credit card information that they can sell on black markets. They are looking for personal information to use against individuals inside companies and organizations, so they can be turned into spies, Grafenstine said. “It’s espionage.”
Barrett and Grafenstine both said they favored the NIST framework as a means of getting control over an organization’s cyber risks. Although the framework is huge, Grafenstine said companies shouldn’t wade into a cyber-risk mitigation effort by trying to adopt NIST in its entirety.
“It’s daunting,” she said. “It has thousands of controls. You have to have a conversation with your chief information security officer and make sure you have a methodical way of choosing the controls for your risk profile. Maybe the first time, you go for the top five. That’s better than doing nothing.”
Barrett said tone at the top was key to navigating a crisis in a way that minimized the damage. “Our CEO was engaged every second,” she said. Top management emphasized doing anything necessary to make customers comfortable about shopping in the company’s stores, including shutting down the entire point-of-sale system if it was necessary to protect consumers. If it had come to that, “we would be out of business,” she said.