The Wipro Data Breach
There is an evolving story that Wipro has been breached, and the attackers have used their foothold in Wipro to launch attacks against at least twelve Wipro clients. As one of the largest IT outsourcing /services providers in the world, Wipro has privileged access to many of their clients’ most critical systems and the data that they process.
Over the next few months, I expect that many information security and Vendor Risk Management professionals at companies using Wipro are going to be sitting in a board or CXO Suite meeting answering a line of questioning that includes some variation of:
- How did this happen?
- What did we do (or not do) to determine if Wipro was secure?
- What should we have done differently?
I think the answers to the first two questions are (hopefully) reasonably apparent and relatively easily addressed if you have a reasonable Vendor Risk Management program.
How did this happen?
Breaches happen. It doesn’t matter that Wipro has 150,000+ employees with thousands of significant customers. Or that they likely have sufficient security attestations (e.g., SOC 2 reports or equivalent). Or that they check every box on virtually any security questionnaire. Mistakes are made, zero-day attacks are called that for a reason, and sometimes several small issues align perfectly “just wrong” to create the perfect storm.
What did we do?
Hopefully, you put them through your Vendor Risk Management program. You rated them as a high risk based on their level of access. They had no open issues on their security questionnaire. They provided a “clean” SOC 2 signed off by a Big 4 accounting firm. They had copies of recent “clean” penetration tests by IBM. They had no prior breaches. They had dozens of references from peer clients. In short, you did everything that a Vendor Risk Management Program should do.
What should we have done differently?
So at this point in the meeting, if I was sitting there as an outside third-party risk expert, I could shake my head in agreement and say, “Yup, you did everything by the book and just got unlucky.”
That being said, I am increasingly thinking the “book” may be wrong and many Vendor Risk Management programs are “outdated” (including plenty I have personally authored). Why do I say that? Think about the answer to the last question the Board is going to ask: “What should we have done differently?”
If you did everything by the book, then the answer is logically “Nothing”—yet I would be hard-pressed to defend that answer.
I think the right answer is that during the vendor review process we should have reported to management that Wipro would be a low risk as a vendor IF we do ‘X.’ Arriving at what ‘X’ is where it gets interesting. I think there are two logical ways to gather that info:
1) If you receive a SOC 2 report, there should be a section labelled “complementary user entity controls.” This is a list of controls that you are expected to have in place that complement the controls that the vendor has in place. The auditor’s opinion on the suitability of the controls in place assumes you have these controls. If you don’t, that opinion is no longer valid.
2) Assume the vendor will be compromised. When it happens, what are the controls that you would need to have in place at your location to ensure that your organization would be reasonably secure? Additional firewall rules to limit access? Log monitoring to ensure that actions taken are as expected? Data backups at a location with an encryption key that you control? Etc.?
Your Vendor Report should communicate X to the Vendor Relationship Owner/Management. They may determine that the risk doesn’t warrant the operational or financial cost of the controls you specified. But at that point there is nothing you could or should have done differently.
Vendor Risk Management and Cloud-based Services
While the cloud provides a lot of benefit, it also has the disadvantage of concentrating risk in the supply chain, because a single breach involving the wrong partner (e.g., law firms, SaaS providers, IT Service Providers, etc.) can yield access to hundreds of companies.
Gotta run: looks like I need to make some updates to our Vendor Risk Management Program and speak with a number of clients about their programs as well…