If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it's where the money is. Like a relentless killer who cannot seem to be destroyed, third-party breach scenarios dominate the headlines. The scares are all different — compromised health records, weapons designs, or automakers' trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.
From my vantage point counseling senior executives on cyber-risk management, it is easy to see why the ephemeral specter of third-party cyber-risk haunts the C-suite. It's because when you're operating in your company's own familiar environment, you often miss the warning signs of danger lurking — until something hits you. Leaders complain they can spend untold sums and time ratcheting down their company's internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies, seemingly out of their control.
Let's break down a few third-party breach tropes and how to confront them:
The Partner You Don't Know
Just as the Creature from the Black Lagoon terrified boaters who stumbled onto his turf, many companies don't learn of a third-party's privileged access until a breach flops onto the deck and begins costly disruptions. Given how technology and business forces constantly evolve, it is very easy to overlook business partners who have accumulated through decentralized and delegated sourcing, M&A, and other shifts.
The best way to avoid a terrifying Halloween surprise (or any other time of year, for that matter) is to create cross-functional vendor management teams including sales, development, and marketing. These overseers can interface with both the chief information security officer's (CISO) organization and other stakeholders, like the CFO. This will maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied.
The Trusted Partner Who Proves to Be Risky
Dr. Jekyll probably aced his security interviews and contract negotiations. After all, he's a scientist! But what oversight mechanism kicks in when a company you trust one minute becomes the equivalent of Mr. Hyde the next?
The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It's better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the Dark Web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly, or spilled out of a larger third-party breach. Early-warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.
The Promise and Peril of New Technology Frontiers
Dr. Frankenstein thought he could make death obsolete. In Event Horizon and Ex Machina, brilliant minds create new technologies that are awe-inspiring at first — but soon reveal terrifying, unintended consequences. Protagonists begin these films coolly and seemingly in control of technology that pushes boundaries but end up with more than they bargained for, and a total loss of control.
Today's ubiquitous third-party data breaches fortunately do not cause loss of life or the rise of sentient machines. However, many a company has rushed to embed a hot new service provider's remarkable technology without necessarily realizing or weighing the inherent risk being shouldered in the process. For example, companies that turned to a popular online chat tool, including Best Buy, Sears, and Delta Airlines, were affected when the high-profile, category-defining vendor behind the chat platform was hit with malware.
In fairness, any outsourced technology can be breached — not only those of hot, emerging startups. But this underscores the point that companies need to follow the trail to see where their data goes and "who" has access to "what." While it's unrealistic to expect a customer service leader to know her or his company's entire risk appetite, it underscores the need to have cross-functional team-based approaches to sourcing and major investments in any new technology partner — particularly those running code on your site or in your product.
THE END… or is it? When the 3:00 a.m. phone calls, harried email threads, tired spokespeople, and empty takeout containers subside after an exhausting data breach response, employees feel partially relieved. Yet they are also wary of "What else is out there?" This is akin to how our heroes feel after they finally destroy the last alien or zombie — right before the camera pans to an egg or one more infected person right before the credits roll. Hollywood and merchandisers love to set things up for a sequel, but executives and CISOs would be doomed to failure if they find themselves trapped in a reboot of the same breach screenplay six months later.
After every third-party breach affecting their business or a peer company, security leaders need to take stock of what happened, and study precursor activities or preconditions that allowed excessive risk to go unchecked. In some cases, attackers might have been remarkably lucky, or the root cause could be the result of unimaginable oversights in vendor behavior and decision-making.
It is true no organization can find everything that might be lurking in the night to do them harm. But taking a deeper look at these telling patterns can equip security professionals to speak up when they start hearing familiar assumptions and clichés from scripts they have seen too many times before.
- 8 Threats That Could Sink Your Company
- CISOs: How to Answer the 5 Questions Boards Will Ask You
- Who Does What in Cybersecurity at the C-Level
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.