On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.
The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.
Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.
“Criminals continue to find success by targeting smaller retailers that use common IT and payments systems,” Bretz said in an interview with ISMG. “Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business.”
Other recommendations include:
- Policies for vendors should be implemented, and minimum levels of supported operating systems should be included. For example, vendors should not be permitted to remote access your network with out of date operating systems like Windows XP.￼￼
- Identify third parties with physical access or remote access through the network perimeter.
- Evaluate and limit third party network access privileges. For example, whitelist third party network
addresses on a firewall provisioned to control remote access by third parties
- Conduct information security and risk assessments of all third party vendors that have access to your
With organizations partnering with hundreds (or even thousands) of suppliers to deliver products and services, third party risk is a growing concern for Canadian organizations. Read Iceberg’s Vendor Risk solution brief…