Invaders can access the house through many portals other than the front door. In the business world, that translates into a multitude of vendors, suppliers and other partners whose level of cybersecurity may be well below that of the company in question.
Exhibit A is the data breach that hit Target Corp. in November of 2013. Miscreants reportedly gained access to the credit card information of up to 110 million Target customers through an air-conditioning contractor. All it took was for one employee of that vendor to respond to a phishing e-mail.
Many similar attacks are likely to hit other companies in the future. According to Accenture’s Cyber Threatscape Report 2018, cybercriminals have shifted their strategies “to exploit third- and fourth-party supply chain partner environments to gain entry to target systems, even in verticals with mature cybersecurity standards, frameworks and regulations.”
Such entities represent an organization’s weak spot, says Matan Or-El, co-founder and chief executive officer of Panorays, a provider of automated third-party security management.
Just about every company has some process in place for vetting the security of its vendors. Often that will take the form of a questionnaire, asking about such measures as the maintenance of firewalls and degree of password complexity.
“The real problem with those kinds of surveys,” says Or-El, “is that they are a totally manual process. It takes time to vet. Usually it happens once a year, while cyber is a changing threat.”
Think of the thousands of suppliers serving a company like Target, and you begin to get an idea of the challenge that corporate security officers face. Clearly, the occasional questionnaire isn’t going to protect a big company from attack, no matter how much it’s spending on cybersecurity.
The biggest vulnerability is, as always, the human factor. In a large, globally distributed workforce, it’s highly likely that some inattentive employee will fall prey to a phishing scam, or other type of hacker’s trick. A single mistake can reverberate throughout the organization, touching on multiple systems and wreaking havoc with efforts to protect sensitive data. The cost of recovery, including damage to one’s brand, has the potential to far exceed that of the priciest security setup.
One vendor serving multiple customers opens countless doors to an attack. Or-El cites the more recent case of 7.ai, the provider of an artificial intelligence-driven platform for linking companies with consumers. Earlier this year, its online chat tool became infected with malware, exposing sensitive consumer information held by many of the vendor’s big accounts, including Sears, Delta Airlines, Best Buy and Kmart. Again, a single unprotected door provides access to many rooms.
In the age of the cloud, a company might not be fully aware of the vendors with which it’s linked. Third-party service providers can engage fourth parties, of whom the principal might be unaware. But every partner, known or unknown, represents a point of vulnerability.
The need to protect data becomes even more crucial as governments begin cracking down on companies’ use of consumer information. The European Union’s new General Data Protection Regulation (GDPR) represents a significant step forward in data-privacy oversight. Expect such laws to expand globally, as regulators seek to rein in massive user data compilers such as Facebook.
All vendors in a supply chain must be prepared to comply with GDPR and similar laws, Or-El says. In fact, the first step toward shoring up one’s systems is understanding just who your suppliers are. Beyond that, companies need to classify each vendor according to the level of risk that it presents to the organization. In other words, how would the breach of a given vendor affect the operations of the company in question?
Ideally, companies should be working to close any security gaps before they are exploited by cybercriminals. And, because their techniques are constantly evolving, it’s essential that organizations continually monitor the security posture of every vendor, Or-El says.
The challenge can be daunting. Panorays identifies more than 10,000 different types of hackers, along with points of vulnerability numbering in the hundreds of thousands. Threats even exist outside a company’s nominal web presence; hackers often lure customers onto their platforms by maintaining URLs that are close to the original domain name. A mere mistake in typing can expose one to attack.
Security technology is evolving along with hacker’s techniques. Blockchains hold promise as a means of storing proprietary information in a safe and immutable fashion, although their widespread use is still some ways away. “We haven’t seen something like that in our area,” says Or-El, “but as with any other technology that comes into our world, we really want to make the most of it.”
In the meantime, companies should be working closely with all of their suppliers, large and small, to drive home the necessity of strong security protocols. Engagements should take place on a continuous basis, to head off potential vulnerabilities. Says Or-El: “We see new things popping up every day.”