Better Email Protection from Vendor Risk

Last week we discussed last December’s Target breach, the phishing campaign that led up to it and the repercussions that a single email can have on a multinational corporation.

According to Brian Krebs, Fazio Mechanical, the HVAC firm that was responsible for the Target breach, was using a free version of Malwarebytes software as their only anti-malware solution. This brings up an interesting point: when it comes to compliance, how much do you really know about the firms that contract with you?

Part of basic vendor risk management is understanding how the vendors you work with can affect you in the worst scenarios. In the end, Target needed to make absolutely sure that Fazio Mechanical was indeed compliant, as it was them that stood the most to lose from a breach, not Fazio. An opening in the defenses of some regional heating company was peanuts compared to an opening in Target’s security. The bigger you are, the more tempting it is to use any means necessary to enter, even if that method is roundabout and time-consuming, as was most definitely the case with this incident.

So what could Target have done differently in this case? Actually, there is a simple way that the millions of dollars lost, millions of customers with lost information, tens of lawsuits and the inevitable lost trust that accompanied all of this could have been avoided. All that would have been necessary would be Target insisting that every vendor they work with use Sendio for their email security solution.

Our multiple-tiers of email security mean that messages hiding malware never make it to the enterprises system, even if they’ve been sent from a whitelisted address. Every email must go through layers of security including silverlisting, malware scanning and IP reputation checks before even reaching our Sender Address Verification step, which must be answered by a human to continue.

There is one final hurdle to overcome however, it may prove true that Fazio had been claiming compliance without actually taking the steps to become compliant. In which case, what would stop a company from falsely claiming they utilized an email security solution in order to obtain a lucrative contract from a multi-national corporation? Fortunately, Sendio’s Sender Address Verification, is a simple way to tell whether or not the companies that work with you have taken the proper means to protect themselves (and you.) Had Target insisted that every vendor they dealt with use Sendio, they would have known they were protected from the very first email.