Halkyn Security Blog
Specialist Security & Risk Management Consultants

Supplier Security – A lesson for T-Mobile

Supplier security problems result in this notice from the CEO of T-Mobile

Supplier security problems result in this notice from the CEO of T-Mobile

Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking if the supplier drops the ball, the supplier will suffer the harm.

This week, T-Mobile USA were unfortunate enough to be the example showing why that mindset is really, really wrong. There is no escaping the fact that supplier security matters. If you aren’t driving them hard things will end badly.

Supplier security – what went wrong for T-Mobile?

First off, for the avoidance of doubt, there is no reason to think T-Mobile have done anything wrong. Nothing here is meant to imply they failed to implement good supplier security controls.

Yesterday, it was reported (here and here) that the credit checking agency Experian had suffered a major breach. The breach exposed personal data belonging to T-Mobile USA customers. Initial reports are that the breach lasted over 2 years and around 15 million records have been compromised.

It seems the attacker(s) accessed a file containing every credit check Experian has ever conducted for T-Mobile. The customers put their faith in T-Mobile and there was no breach at T-Mobile. However, they are still the ones who will feel the impact here.

As an immediate damage limitation exercise, Experian have offered anyone affected by this a free 2 year account on ProtectMyID. Unfortunately this means you need to continue trusting Experian and its not clear how effective a credit checking agency will be at general ID protection.

For T-Mobile, this is a pretty painful situation. They had no breach, but their customers suffered. Some customers will blame T-Mobile for this. Some customers may leave T-Mobile. Customers don’t care about supplier security.

Don’t forget, if this was the UK/EU, the Data Controller is the one who gets the fine not necessarily the data processor.

Supplier security – what should you do?

No one wants to be in the same boat as T-Mobile but every business needs suppliers of some description. So, the question is, how can you check your supplier security is good enough?

Step 1actually take your supplier security seriously. Don’t assume it is just a task you have to tick off on an audit list. Don’t assume all your suppliers are the same. You need to fully integrate your supplier security processes in to everything you do.

Step 2risk assess your suppliers. Not all suppliers carry the same risk. Not all suppliers need the same level of scrutiny. Supplier security is never a one-size-fits all problem. Some suppliers will provide business critical services. Some will be able to cause you massive reputational damage. Some wont. You need to understand every supplier. In some cases, it may even be necessary to war game possible scenarios so you can really understand how things can go wrong. Figure out what happens if they go bust, get breached or just mess up. Once you know this, you know how much pain you can feel from this supplier.

Step 3drive the supplier security process. The low risk suppliers can probably stay with the check list approach. The high risk suppliers really need a dedicated supplier security assessment. This means you need to dedicate resources to go and fully understand how the supplier protects your services. If they aren’t up to scratch, find a new one.

Supplier security doesn’t need to be hard.

Supplier Security Assessment Questionnaire - Provided for free by Halkyn Consulting

Supplier Security Assessment Questionnaire (PDF)

There are lots of resources available to help with supplier security assessments – such as our free Supplier Security Assessment Questionnaire, or if you are willing to pay, the Supplier Security Evaluation Tool (SSET) provided by the ISF.

Whatever approach you decide, the most important thing is having an approach to supplier security which you actually use.

Never allow yourself to fall into the trap of thinking your suppliers don’t need supervision. Never fall into the trap of thinking that their problems will only be their problems. Never fall into the trap of assuming contracts will protect you.

Supplier security is important. Never forget that.

Similar posts
  • Threat Hunting – essential for ... Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Recent Tweets Recent Tweets