The third party ‘backdoor’ remains a real risk for organisations’ cyber-security, and organisations need to check their supply chains and partners’s security practices, writes Darren Craig, founder of info-security technology company RiskXchange.
The past five years has seen a significant amount of regulations implemented, all designed to ensure that companies shore up their cyber defences in the face of an increasingly sophisticated and cunning cybercriminals. On the whole they have worked adequately, giving companies something to measure their current security policies against. These regulations have, until recently, tended to drive companies to ensure that their own defences were in order; that is until the introduction of GDPR.
Has GDPR opened the businesses’ eyes to the threat from supply chain?
GDPR has seemingly achieved a great deal in its short life span. It was launched with almost a fanfare; the news was covered by mainstream media making it extraordinarily high profile. As a result, the public were suddenly very aware of the value of their data, the importance of keeping secure and the consequences for companies that did not. Indeed, any breach now investigated by or reported to the ICO is mainstream headline news. This in turn of course means that a breach is not only a breach of security and a loss of data for a company, but now can result in huge fines and potentially more harmfully, a high-profile loss of reputation.
Another area which GDPR pushed into the spotlight, is the threat that your supply chain poses. Up until the introduction of GDPR, other regulations had very much focused on sorting your own security, almost ignoring other routes that criminals can use to secure access to your infrastructure. Any third party with access into a company’s infrastructure remains a real threat.
Learning
2019 saw a remarkable number of security breaches involving third party vulnerabilities, with companies apparently sticking their heads in the sand when it comes to threat from their supply chain. In the first half of 2019 there were 4.1 billion records exposed by data breaches, a remarkable amount of potentially sensitive data now in the hands of criminals. Even more disturbingly though, the Ponemon Institute has said that over half of all data breaches come from third-party sources. Some of the biggest, high profile, global breaches were as a result of poor cyber security hygiene from third-parties.
In June 2019 Quest Diagnostics, a healthcare organisation headquartered in the US was breached with 11.9 million patient records exposed. An unauthorised user gained access to this data through its billing collections partner, American Medical Collection Agency (AMCA). The data was exposed for a remarkable seven months before it was reported and closed, with data including credit card numbers, bank information and social security numbers all leaked.
One of the most high-profile cases was Facebook, which was the victim of two such breaches. One saw Mexican digital company Cultura Colectiva leaving over 540 million records of user IDs, account names, comments left exposed on a publicly accessible Amazon S3 server. The second incident saw unprotected passwords and email addresses for 22,000 users exposed via At The Pool, another third-party Facebook app.
You know that there is a major issue when even the FBI are impacted by third-party breaches. In January 2019, a remarkable 3 terabytes of information were left exposed, including FBI investigation records, millions of department files, personal data, internal communication records and more. These were in an open storage server belonging to the Oklahoma Department of Securities. The database was publicly accessible to any IP address and all files stored on the server were downloadable.
The reputational damage of any breach is huge, and customers will not care that criminals gained access through a third party rather than directly through your defences. However, alongside reputational and regulatory damage, recent examples of third-party breaches has shown that it is not just customers that lose faith, but investors too. Shares in International Airlines Group, the owner of British Airways dropped more than four percent following a huge data breach. The card details of 380,000 customers were stolen after criminals found vulnerabilities in a third-party’s embedded code.
It is clear from the incidents in 2019 that almost every country, no matter how big or what sector they operate in are struggling with securing their supply chain. As a company, you can have the most sophisticated cyber defences available to you, updating your patches regularly and responsibility, and ensuring that you have buy-in from your own team in terms of responsible IT use, but it only takes one partner who takes a less responsible attitude to cyber security to make all of your hard work null and void.
However, with the sheer amount of time taken up by monitoring your own security, the thought of diving into one of your partner’s security policies seems like a huge headache and one potentially out of your hands. Many companies still rely on manual processes for collecting information of their supply chain’s security practices. Surveys are sent out which for the most part rely on partners honesty, with the information, even if accurate, is only relevant at the exact time it was completed.
The rate at which cyber criminals are developing more sophisticated methods of gaining access to infrastructure, far exceeds the speed at which manual surveys are sent out and completed, meaning by the time the paperwork has returned, any security policies may well be out of date.
Gaining a real-time view
Without a constant and real-time view of your partner’s security structure and practice, it is impossible to gain the insight needed for your own security. Many are turning to solutions that enable businesses, a non-intrusive, real-time view of your supply chain’s security. This third-party risk intelligence allows organisations to check on poor security hygiene and how effective the security policies and strategies they have in place.
Gaining this information in real-time then allows companies to speak to their partners, helping them in good time to improve their security and patching potential weaknesses. It will also allow businesses to keep an eye on the actions of their partners, and if there is a constant threat and a lack of action on their behalf, action will need to be taken, even down to looking for new partners with better security practices.
Closing and locking the backdoor, which for far too often has seen cybercriminals gain access to sensitive data, has to be the key objective for the next few years. We are likely to see not only a huge increase and severity of the regulations brought in to protect data, but as a result, we are also likely to see cyber criminals coming up with increasingly sophisticated methods of gaining access to it.
