Cybersecurity and Supply Chains: A New Risk Management Paradigm
Businesses should understand where the weakest links are in their supply chains and where their sensitive business data resides outside of their network.
By Jeremy M. Kroll
Today, companies large and small are facing complex security and privacy challenges. Managing cybersecurity risk has become a leadership-level priority. We read about a massive data breach almost every day and are beginning to succumb to “breach fatigue” where every new breach seems to have less impact than the previous one.
What we are seeing, in our increasingly interconnected and globalized business world, is that security vulnerabilities have multiplied and are more diffuse. Before the advent of the Internet and the digitization of core business functions, a criminal would need to physically break into a company’s stores or offices to steal customer information or credit card numbers. They were constrained by what they could carry or the time they could spend inside a building before being discovered.
In the age of persistent cybercrime and compromised data, criminals can breach a business’ defenses from anywhere in the world. They steal valuable data from a company not only directly through company networks, but also indirectly through the network of a supplier. They buy access to compromised company credentials or other attack-kits that are tailored for specific industries or even specific businesses. And after securing ever-higher network access and credentials, they can remain undetected inside a company’s systems for months or even years, continuously siphoning off valuable data and penetrating deeper inside a business’ network.
Virtual Safe Havens
The black markets for hacking tools, credit card numbers, competitive intelligence, intellectual property and how-to guides to breach companies are proliferating. They are also becoming more sophisticated. These virtual bazaars are housed inside the Dark Net, a series of hidden websites and forums that are only accessible with such special anonymization software as Tor.
Cybercriminals and “hacktivists” buy and sell valuable information, ready-made vulnerabilities and data about individual companies inside these markets. And with more effective attack tools being developed and sold, hackers are gaining attack capabilities and intelligence they did not have before these markets existed. They can also sell valuable data they have stolen to other hackers after an attack has occurred. The availability of hacking tools and the corresponding diminished need for technical sophistication to perpetrate advanced and highly targeted attacks is a worrisome trend that is poised to continue.
It is from these virtual safe havens that many hackers have been planning and launching their operations. They target the most vulnerable entry points they can find. This means hackers often do not attack businesses directly, where they tend to be more fortified. They start by attacking the connected suppliers such as an HVAC vendor, the payment processor, the point-of-sale system, the law firm, or third-party service providers. For those of us who help businesses profile their cyber risks and gather intelligence about how hackers are targeting them, these developments represent an escalation that many business owners have not yet fully grasped.
Breaches on the Rise
The statistics on breaches are staggering and are trending in the wrong direction. According to the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, 43 percent of surveyed executives admitted their company had a data breach involving loss or theft of 1,000 or more records in 2014. That is up from 33 percent in 2013. When a third party is involved, it increases the average cost of a data breach by $14.80 per individual record, which adds up quickly when breaches involve thousands or even millions of compromised records.
The breach of Heartland Systems, a Fortune 1000 payment processor, in 2008 compromised 130 million debit and credit cards issued by more than 650 financial institutions. It was the largest breach of its kind at the time. It also presaged the environment we live in today. It highlighted, in a new way, the risks and costs vulnerable suppliers can impose.
We have seen millions of dollars in data breach remediation costs inflicted on companies such as Target and Home Depot. Less well-reported are the post-breach costs inflicted on small- and medium-size businesses. SMBs may not have the wherewithal to weather the costs of mitigating a breach, the decrease in sales, providing required customer notifications, fighting back against lawsuits or repairing their damaged reputation. These costs can force businesses into bankruptcy or to close their doors altogether.
Unfortunately we have also seen a disturbing trend of “blame the victim” when it comes to data breaches, even if the company was compromised through vulnerabilities at a vendor. The media reflexively direct its ire toward the business victimized and blame it for the breach, instead of blaming the criminals.
Changing Scope of Vulnerabilities
Given these realities, companies need a greater understanding of the full scope of their vulnerabilities. Business owners and operators may have complete trust and confidence in their own management and IT team to protect their internal systems. But do they have that same confidence in their vendors’ security teams? Do they have any visibility into the threats and attack vectors facing their supply chain? Do they believe that their law firms and accounting firms, which house huge amounts of sensitive company data, can protect that information from exfiltration?
Do they know which of their suppliers have access to their systems either directly or indirectly? Do vendors have robust data protection policies? Have partners implemented comprehensive incident response plans and policies for notifying customers and clients about a breach? Do partners have a full understanding of their risk profiles? Do suppliers have cyber defense requirements for their own subcontractors and suppliers? If a partner is being evaluated as an acquisition, will vulnerable or already-infected systems be imported after the transaction?
These are questions we have been asking our clients that they are often not asking themselves. Many companies still think about their IT security the same way they did when firewalls and antivirus software were all that was needed to secure company systems. Or they may be so focused about their own systems that they forget about how interconnected their businesses truly are. As many recent breaches demonstrate, the good old days of needing only to build the tallest walls and widest moats around networks are long gone.
Outside-In Understanding of Supply Chain Risk
Business owners should seek a richer understanding, from the outside-in, of the threats and malicious actors they face and the tactics those actors will employ. They also should know what kind of sensitive company information and compromised credentials are already exposed and are being bought and sold inside Dark Net marketplaces. Those efforts should complement the traditional pre-investment or vendor due diligence processes that businesses undertake when onboarding a new supply chain partner or evaluating a potential acquisition. These measures allow companies to plug vulnerabilities that might already exist.
Most importantly, businesses should understand where the weakest links are in their supply chains and where their sensitive business data resides outside of their network. That understanding comes from building a comprehensive risk profile and setting priorities around which risks deserve the most attention. Companies should also take extra precautions to ensure vendors and third-party service providers are doing everything possible to protect their partners, clients and customers.
As we see it, this is the new security and risk management paradigm that businesses face. And it is incumbent upon us all, across all industries, to foster cooperation and work even harder to ensure we can tackle these new threats together.