The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations. Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked. Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website. All of this was without El Camino’s permission.
According to the Wall Street Journal, “The Tanium demonstrations exposed El Camino Hospital’s private network information, including security vulnerabilities, server and computer names, versions of antivirus software that might be out of date and some personnel information, according to the videos. Companies generally guard such information closely, as someone seeing it could use it to help gain access to the network for malicious purposes.”
Though Tanium claims it has since stopped the practice and has taken responsibility for its actions, this serves a startling reminder that cyber risks abound, from both obvious (hackers and phishing schemes) and non-obvious (information security vendors) sources.
El Camino’s position, unfortunately, is not unique. Some of the largest data breaches in recent years can be attributed to the actions (be they deliberate, careless, or even inadvertent) of third-party vendors. For example, the now-infamous 2013 breach of Target’s corporate network was ultimately traced to a third-party refrigeration contractor, an employee of which was duped into a phishing scheme. Risks of third-party breaches are no longer existential—they are nearly everywhere, and they need to be taken seriously.
Reading about the Tanium affair, we immediately thought of the National Association of Corporate Directors’s (“NACD”) recently released handbook on cyber-risk oversight, which similarly suggests viewing cyber-threats more broadly within an organization.
Among other things, the NACD handbook suggests that, as a general proposition, directors view cyber-threats as an enterprise-wide issue and not an IT issue, understand the legal implications of cyber-threats, have regular discussions of cyber-threats at the board level, set expectations that management will establish enterprise-wide cyber-threat strategies with adequate staffing and budget, and determine at the board level what constitutes an acceptable level of risk for the particular organization.
The Tanium affair makes clear that the risk of a data breach can stem from any business decision, and organizations need to be wary of these risks. Fortunately, familiar tools that organizations have available to manage traditional business risks—contractual protection, appropriate insurance, and sound legal advice—can also be effective in managing a number of cyber-risks. As the NACD handbook suggests, boards are uniquely positioned to prioritize—and incentivize—making data security concerns a key component of risk management.