Come to our session at #PSR18 – Vendor Risk Management: Maintaining Relationships While Limiting Liability

Are you at IAPP – International Association of Privacy Professionals P.S.R.  #PSR18 in Austin? If so, please come to our Thursday 10:30 – 11:30 session on Vendor Risk Management: Maintaining Relationships While Limiting Liability in Lone Star Ballroom A, Level 3. It should be great as I get to be with great panelists Tami Dokken and Melissa Krasnow and we will have Mark Smith as our moderator.

Bloomberg BNA Texas ProfileWhile you’re there pick up your copy of Bloomberg BNA’s  Domestic Privacy Profile: Texas!

If you can’t make it, here is a link to the .pdf (hey, I know people!).

Session Info: https://iapp.org/conference/privacy-security-risk/sessions-psr18/?id=a191a0000028eqTAAQ

Hacked F-35 Fighter Info from Australian Contractor Exemplifies Third-Party Risk in Cybersecurity

Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.

This past week we learned that hackers had access to the network of a relatively small company that is a contractor for the Australian Signals Directorate for almost a year. The hackers were able to exfiltrate roughly 30GB of data including data about sensitive United States military assets such as “restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.” Read more about the attack here: Hackers steal restricted information on F-35 fighter, JDAM, P-8 and C-130

This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity

For yesterday’s example of third-party risk see Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans.

Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans

Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.

This past week we learned that the North Koreans stole the United States’ war plans for battle with North Korea. How did they do this? By cyber attack — not on the United States, which likely had the plans fairly well secured — but by cyberattack against the United States’ “partner” in this endeavor, the South Koreans, with whom the US had shared its plans. Read more about the attack here: ‘Ridiculous Mistake’ Let North Korea Steal Secret U.S. War Plans

This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity

Checklist: Managing Third-Party Risk in #Cybersecurity

If I timed this right, when this post publishes, I will be about to present at the ISACA CSX 2017 North America Cybersecurity Nexus Conference in Washington, DC. My talk is titled Legal Issues Associated with Third-Party Risk.

I am publishing this post with the #CSXNA and #CyberAware hashtags in the title so that conference attendees can find it on Twitter as I turned in the slides a few weeks ago and just this morning thought of creating a checklist. Hope you find this helpful and here are the full slides.

ISACA Checklist - Process for Managing Third-Party Risk

Here are a few tweets from earlier:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs

The FTC and Uber have settled the enforcement action the FTC brought against the company. This action stems from Uber’s data breach of more than 100,000 individuals’ PII despite its promises that their data was “securely stored within our databases.” The FTC found this promise was misleading when compared with the actions the company was really taking. In settling the dispute, Uber entered into a Consent Decree that Continue reading “Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs”