Cyber Security: Island Hopping
It has long been known that there are many ways that a business can have their corporate network compromised and critical business operations halted (e.g. Ransomware), or their data stolen by criminals. Frequently, we hear the terms 'Cyber Security', 'Data Security', 'Information Security' or 'Cyber Resilience' and of businesses investing 10s of thousands or even millions of thousands on the enhancement of new Cyber Security Strategies. This all sounds very impressive, but if so much time, effort and money is being ploughed into the defence of the corporate realm, why are we seeing an increase volume of data breaches?
The attackers are using increasingly sophisticated methods?
No matter what is done, there will always be a weakness?
It's just too difficult?
More often than not, it is the attacker that is better informed as to the extent of your vulnerabilities, or an insider circumventing a countermeasure, or it being an unknown risk created through a poorly managed 3rd party supplier. Therefore, it is essential that effective supplier management be considered as a key business process:
Managing both the relationship and continuing reassurances that these operations are safe and secure!
Corporate Supplier Relations
This is one of the most common areas that today's criminals are looking at for potential opportunities to obtain unauthorised access to sensitive data or to gain a foot hold into their target's corporate network. Businesses will spend countless hours and money ring fencing their network, applying anti-virus, carrying out vulnerability remediation and penetration testing. Yet, when it comes to their outsourcing of essential services and large volumes of data processing, they often show complacency towards the measures they expect to be in place and setting out, at the outset, in their contracts the minimum standard of defence that they expect the supplier to adhere to.
Would you ever buy a car without understanding the safety measures it has, or whether it even has working brakes?
Surely if a business is thinking of outsourcing, their are a number of business justifications they will be considering but shouldn't the potential business risk (including security) be at the top of this decision making?
In any in house business operation, it is reasonable to expect that process to be providing re-assurance that they are safe and secure (e.g. Monthly Security Metrics) and to undergo periodic validation checks (e.g. Auditing), especially if they are regarded to be critical or high-risk business functions. However, in outsourcing it is often the case that most reassurance is carried out on a wing and a prayer. During the initial vendor negotiations, it is likely that they will give you all the reassurances that they employ all the 'Bells & Whistles' best practices, but frequently the reality is that they CAN provide this but it comes at an additional cost (something that they are unlikely to tell you, during their sales pitches!).
Consequently, businesses get all 'Starry Eyed' and enter into an agreement with a shoddy contract (excludes any security provisioning), a lackluster security review and little (or no) aftercare or warranty. This agreement could last for a number of years and is rarely refreshed or revisted. Then before we know it, the attackers have gained a clandestine, persistent, foothold on the corporate network. Surely, this must have been a sophisticated cyber-attack? Nope, this is one of your trusted partners leaving a gaping hole in their network which connects to yours. Imagine if this happened away from work and whilst having some building repairs done to your home, your builders (trusted partners) left a door unlocked, or a window open. You return to a burgled home and a void insurance policy!
Astonishingly, it is reported that 50% of cyber-attacks now use the tactics of 'Island Hopping'. Why? Because the criminals have recognised that the smaller islands present a far more potential yield, based on their efforts needed to breach their defences and to gain the unauthorised access to the outsourced data processing or to the connected network.
If you are a business that outsources services, you should remember that outsourcing is the transference of risk and responsibilities but this does not reduce your accountability for ensuring that this meets the same expectations as you would expect for an inhouse process.
Therefore, I would highly recommend that you regard outsourcing as being a risk management exercise and that you should manage this in the same way. Each vendor is a potential Course of Action (CoA) in your risk decision making process. Essential to this is having sufficient information to enable you to make an informed decision as to the best CoA for your company. Start to ask yourself the following types of questions?
Do you understand the value of your 3rd parties and the potential impact this vendor might have on you if they failed to deliver an essential service or were to be subject to a breach were your company data became compromised?
For example, 1/2 a million records = a potential cost of $75 million ($150 per record)
Do you understand to what extent they can meet your expectations for safeguarding your services, networks and data?
If you are buying a service (e.g. Threat Hunting, Security Operations Centre, etc.), does this deliver exactly what the 'Salesperson' promised? Remember, that not everything you may have been told is completely accurate, or was included in your subscription (Perhaps, never included, or even excluded to get you the price you were willing to pay).
How robust is your contract and what are the consequences for the vendor, if they fail to fulfil their obligations?
How comprehensive is your assurance process, in line with the potential impact of the 3rd party being compromised?
How robust are their supporting systems and processes?
How are you managing the ongoing relationships, in regard to maintaining a robust security profile?
Do you understand how they may connect to your corporate environment?
Managing your 3rd parties, especially in increasing niche markets, is becoming increasingly more important. However, not all vendors are created equal and so it is essential that the management of 3rd party suppliers is considered as being a business critical process and should be at the top of any corporations risk register.
However, do not take my word for it, just take a look at the number of 3rd party breaches that have had a considerable financial, regulatory and reputation impact on large corporations: