Every day,there’s another news headline highlighting a data breach at a large, well-known company. We are so used to hearing of them now that the impact has been lessened. The Target breach was different. For most people, the Target breach news struck close to home. It has been fascinating, following the unraveling of how the event occurred and how Target has responded to the breach. As much as Target would like the data breach news coverage to end, it is not going away.
The latest finding is that the Target breach likely occurred throughFazio Mechanical Services, Inc. (FSM), a refrigeration contractor in Pittsburgh that connected to Target’s systems to do electronic billing, contract submission, and project management. It now appears that they themselves were hacked by a sophisticated attack.
This new piece of information gives rise to many questions that need to be answered. For IT security organizations, here are three critical ones for consideration:
1. Did FSM really need electronic connectivity to Target’s networks?
Every situation is different, and each one needs to be judged on its own merits. However, every company needs to think very carefully before connecting anyone to their internal computer networks. A connection, by its very nature, generates additional risk. Connecting an outside company to the internal network may save money and create efficiencies, but how much can be lost if something goes sour?