It's no secret that the holiday season serves up an extra heaping portion of cyber-risk. Businesses large and small find themselves in the crosshairs for highly targeted and cleverly adapted cyberattacks, yet many also rely heavily on temp workers, independent contractors, subcontractors, per diem staff, and vendors that expand the attack surface.
And this year represents largely uncharted territory. As the pandemic grinds on and the dynamics of business and work evolve – including people working from home – third-party risks have skyrocketed.
"We are witnessing unprecedented changes that are altering and expanding exposure for companies," says David Hau, head of middle market, FINEX cyber, North America at Willis Towers Watson.
One thing is clear: Organizations must be vigilant on several fronts. This includes focusing on highly tailored phishing and business compromise attacks based on holiday and pandemic issues, employees and contingent staff using their own gear, changes to in-store policies and procedures, and disruptions in the supply chain due to COVID-19, which may lead to a business relying on untested suppliers and vendors.
"It's easy to brush aside serious cybersecurity concerns as businesses attempt to keep up with the holiday crush," Hau points out. "It's critical to ensure that there are sound protections in place."
At the heart of third-party risk is this simple but profound fact: It's difficult to ensure outside companies and individuals adhere to security practices, policies, and behavior. While employees working from home may use company-issued laptops and virtual private networks (VPNs), contingent workers frequently rely on their own equipment. Not surprisingly, this increases the risk of misconfigured security settings and inconsistent protections.
"Frequently, a cable company installs equipment and people keep the default settings and passcodes for cable modems, routers, Wi-Fi, and other equipment," says Alan W. Silberberg, CEO of security and risk mitigation firm Digijaks.
To minimize risk, either a member of the IT team should connect remotely and configure security settings or an employee should receive explicit instructions on what constitutes an acceptable password, along with step-by-step instructions on how to change it for various devices. If a third party is handling the task, it's critical to ensure they're trained appropriately and understand rules, policies, and procedures.
Another problem is that some routers, VPNs, and software have known vulnerabilities that manufacturers haven't addressed. For instance, Microsoft's Remote Desktop Protocol (RDP), which facilitates connections between corporate networks and remote computers, is a known entry point for ransomware cartels. In this type of attack, cybercriminals target systems that lack multifactor authentication (MFA). Once inside, an attacker drops a menu-driven PowerShell script into the system and establishes a persistent RDP connection that makes it possible to commander the network.
Avoiding Risky Business
There are other practical considerations that extend to workers and third parties. For example, if company-issued gear, such as preconfigured laptops, is not possible, it's essential to secure communications with external devices through a VPN, MFA, encryption, patch management, and system controls to "harden the environment," Hau explains.
It's also critical to train seasonal workers and other third parties about security tools and protections, along with how to spot suspicious phishing emails and avoid risky practices and behaviors. It couldn't hurt to remind year-round employees about that, as well. During the holidays, this may include identifying spoofed messages about bonuses, gifts, or virtual holiday gatherings with links that load malware.
Even when an outside business or individual has established clear policies and standards – or signed an agreement to abide by a company's rules – it can be difficult to know whether people are adhering to a security framework. This includes how they are using and sharing data to personal devices and outside entities.
"A common problem is that people forward emails and other data to personal accounts," Hau notes.
Contingent workers may also be more susceptible to phishing attempts because they aren't familiar with specific people and processes at a company. Many attacks – including those directed to employees – succeed because they prey on people's anxieties, which these days are about the pandemic, political events, and the holidays.
In addition, security lapses can occur when third parties share information through Zoom or audio conference calls with partners and customers, or by connecting to the wrong session, Silberberg says. Consequently, it's important to use safeguards such as requiring participants to register in advance for a meeting, requiring passcodes to join meetings, using waiting rooms and reviewing a list of participants before jumping on a call, and using randomly generated meeting IDs for third-party or public-facing meetings.
Once a meeting starts, consider locking the meeting to block any additional participants, managing screen sharing, and blocking private chat functionality.
Beware of Scams
The pandemic has led to sometimes significant disruptions in supply chains – and forced some businesses to scramble to find new and untested suppliers and vendors. In some cases, these firms may have inadequate cybersecurity safeguards in place. In addition, be wary of shady and fraudulent suppliers capitalizing on supply chain disruptions.
For example, Silberberg says cyberthieves create shell companies that pose as legitimate firms in order to gain access to enterprise networks. These firms often pray on known problems and issues, particularly revolving around shortages of goods and supplies, Silberberg notes.
"In the healthcare arena, we have found firms selling fake or counterfeit personal protective equipment, companies with phony CDC and FDA certificates, and other falsified credentials," he offers as examples.
Crooked firms also use inferior products as a front for connecting to companies and gaining access to portions of their networks. "Where there are opportunities there are bad actors," Silberberg says.
In addition, Silberberg says it's essential to conduct a thorough vendor validation process – and the holiday crush is no excuse to bypass known safeguards. "You can't get into the mindset that it's OK to skip due diligence," he says.
Finally, Hau believes it's critical to have a response plan in place if a cyber incident or supply chain disruption occurs. This may include cyber-insurance but also a detailed response plan for dealing with a breach or breakdown. It's also essential to distribute an incident response process and business continuity framework to new third parties.
A False Sense of Security
In the end, consulting firm PwC recommends a thorough review of user and data ecosystems, including mapping data flow, accessing third-party safeguards, adopting industry standards, and stress-testing a cybersecurity plan
Vigilance cannot wane, regardless of time and financial pressures, Hau says.
"Companies must be at a heightened state of alert," he concludes. "The holidays combined with the pandemic have elevated the risks and threats. When you bring third parties into the picture, the dangers are even greater."