It is a basic tenet of business: No one can do it all alone.
In order to reach our goals, we count on strategic allies, channel partners, service providers. To grow, we merge, we make acquisitions.
Each external connection has always brought with it issues of corporate culture compatibility, human resource management and quality assurance. Now, cyber security is also of primary concern, particularly for large organizations that rely on small suppliers and contractors to get the job done.
How does one know if business allies are leaving the back door open and putting digital assets at risk?
The concern came to the fore in late 2013 at a security event in Houston, when business leaders from Shell, CenterPoint Energy, NASA and the Federal Reserve Bank of Dallas spoke out about terminating agreements with companies that failed to meet their security requirements. Speakers expressed concern that hackers were targeting small companies in order to attack their larger partners.
“We have definitely seen a rise in attackers doing things like going after a company’s smaller acquisition to get to their real target: the parent company,” says Chris Coleman, CEO of Lookingglass, an Arlington, Va.-based cyber threat intelligence company.
He is also concerned about the vulnerability that third-party suppliers introduce into supply chains, based on a survey his firm conducted recently. Over a 35-day period, Lookingglass analyzed the public internet space of 40 organizations that provide financial services to U.S. banks, and discovered that 100 percent of them had been compromised or were at risk. Eighty-five percent showed botnet activity, more than a third indicated the presence of malware, and a quarter had hosts attempting to communicate with multiple Conficker sinkholes.
“The Conficker presence is especially disheartening,” he says. “That just indicates unpatched and outdated systems, and remember, we’re talking about critical services to banks here.” Some of the companies his team looked at were large organizations with a lot of resources at their disposal, and the lack of resilience exhibited was a shock. And, needless to say, a lot of these third-party suppliers have their own third parties.
An obvious analogy is the kind of frank talk that parents have with teenagers about safe sex.
Engineer your network
It is enough to make a CSO lose even more sleep than usual, says Anup Ghosh (left), founder and CEO of Invincea in Fairfax, Va. “It’s hard enough to manage your own data, let alone worry what your service providers are doing,” he says. “If you’re a large business that relies on smaller partners, you need to engineer your network to segregate data.”
Short of flexing the kind of muscle that NASA and Shell have, and turfing out under-achievers, Ghosh believes companies need to introduce a financial inducement for service providers.
“I think organizations should start building some sort of claw-back mechanism into service agreements,” Ghosh says. “Otherwise, as the service provider, what’s my incentive to build in the kind of safeguards you require?”
Patrick Foxhoven, VP and CTO of emerging technologies at Zscaler in San Jose, Calif., says industry has a way to go before traditional covenants like service level agreements (SLAs) begin to capture the new realities of cyber risk. “SLAs really need to evolve,” he says. “I rarely see anything written into them regarding security.”
Other experts agree. “I haven’t seen anything like response times on data breaches built into SLAs yet,” says Ted Julian, chief marketing officer for Cambridge, Mass.-based Co3 Systems. He believes companies which interact with consumers need to drive change. “The customer relationship owner has the ultimate responsibility.”
Julian (below) suggests a basic first step is for organizations to include service providers in tabletop planning exercises to ensure their incident management responses are aligned. That would fit well with the movement toward building security into corporate risk management, assigning sufficient budget to it and moving ultimate responsibility out of the IT group and into the C-suite.
“Unless you’re clutching tin cans to communicate, you have to see security as a business expense,” says Lookingglass’s Coleman. “It’s imperative to integrate security into every aspect of your business planning, and that extends to your entire supply chain.”
According to observers, the problem gets worse when the companies that are part of that chain are small- and midsized businesses (SMBs) below 500 employees. They are far more likely to shortchange security in their annual budget, treat compliance as a checkbox exercise and fail to monitor their networks on an ongoing basis.
Foxhoven believes corporations need to begin insisting that their suppliers and partners come clean about flaws that exist in their networks. “If you’re going to hold yourself accountable to your customers, you should demand transparency from those you depend on to provide those services,” he says.
While that level of transparency is standard practice when companies conduct their due diligence to buy another entity, it is a lot to expect of an organization that is selling a service – and may be selling the same service to your competitor.
Is it too much to require? Foxhoven believes we may need to change the way we think about these types of business transactions. “You can’t rely on ‘trust us’ anymore,” he says, adding that having a clear understanding of what data will be shared between companies may be more important than the legal wording on service agreements, given that precedent law is lagging behind data leakage in most jurisdictions.
“The opportunity to apply legal pressure will begin to increase and align with new regulations,” says Julian, pointing to evolving legislation in California and the European Union.
Foxhoven is not quite as optimistic. He believes change will really only come with even more data breaches. “I think there will have to be a certain amount of pain to really expose the problem,” he says. “Some organizations see the gap, but we’re not at the place yet where we’ll see major change.”
Invincea’s Ghosh sees some change occurring, but says: “They are definitely only baby steps at this point. You see large enterprises focusing on risk, but SMBs can’t afford it. Simply adding more IT staff won’t get you there.”
Coleman thinks one innovation might be cyber insurance, with premiums based on the amount of exposure companies permit. Until that becomes widespread, he offers some prescriptive advice: “Look hard into the network hygiene of the organizations you do business with, and be cognizant of what their vulnerabilities are. However you structure your legal agreement, or whatever protective mechanisms you build into that agreement, you need to go in informed.”