It is a basic tenet of business: No one can do it all alone.
In order to reach our goals, we count on strategic allies, channel partners, service providers. To grow, we merge, we make acquisitions.
Each external connection has always brought with it issues of corporate culture compatibility, human resource management and quality assurance. Now, cyber security is also of primary concern, particularly for large organizations that rely on small suppliers and contractors to get the job done.
How does one know if business allies are leaving the back door open and putting digital assets at risk?
The concern came to the fore in late 2013 at a security event in Houston, when business leaders from Shell, CenterPoint Energy, NASA and the Federal Reserve Bank of Dallas spoke out about terminating agreements with companies that failed to meet their security requirements. Speakers expressed concern that hackers were targeting small companies in order to attack their larger partners.
“We have definitely seen a rise in attackers doing things like going after a company's smaller acquisition to get to their real target: the parent company,” says Chris Coleman, CEO of Lookingglass, an Arlington, Va.-based cyber threat intelligence company.
He is also concerned about the vulnerability that third-party suppliers introduce into supply chains, based on a survey his firm conducted recently. Over a 35-day period, Lookingglass analyzed the public internet space of 40 organizations that provide financial services to U.S. banks, and discovered that 100 percent of them had been compromised or were at risk. Eighty-five percent showed botnet activity, more than a third indicated the presence of malware, and a quarter had hosts attempting to communicate with multiple Conficker sinkholes.
“The Conficker presence is especially disheartening,” he says. “That just indicates unpatched and outdated systems, and remember, we're talking about critical services to banks here.” Some of the companies his team looked at were large organizations with a lot of resources at their disposal, and the lack of resilience exhibited was a shock. And, needless to say, a lot of these third-party suppliers have their own third parties.
An obvious analogy is the kind of frank talk that parents have with teenagers about safe sex.
Engineer your network
It is enough to make a CSO lose even more sleep than usual, says Anup Ghosh (left), founder and CEO of Invincea in Fairfax, Va. “It's hard enough to manage your own data, let alone worry what your service providers are doing,” he says. “If you're a large business that relies on smaller partners, you need to engineer your network to segregate data.”
Short of flexing the kind of muscle that NASA and Shell have, and turfing out under-achievers, Ghosh believes companies need to introduce a financial inducement for service providers.
“I think organizations should start building some sort of claw-back mechanism into service agreements,” Ghosh says. “Otherwise, as the service provider, what's my incentive to build in the kind of safeguards you require?”
Patrick Foxhoven, VP and CTO of emerging technologies at Zscaler in San Jose, Calif., says industry has a way to go before traditional covenants like service level agreements (SLAs) begin to capture the new realities of cyber risk. “SLAs really need to evolve,” he says. “I rarely see anything written into them regarding security.”
Other experts agree. “I haven't seen anything like response times on data breaches built into SLAs yet,” says Ted Julian, chief marketing officer for Cambridge, Mass.-based Co3 Systems. He believes companies which interact with consumers need to drive change. “The customer relationship owner has the ultimate responsibility.”
Julian (below) suggests a basic first step is for organizations to include service providers in tabletop planning exercises to ensure their incident management responses are aligned. That would fit well with the movement toward building security into corporate risk management, assigning sufficient budget to it and moving ultimate responsibility out of the IT group and into the C-suite.
“Unless you're clutching tin cans to communicate, you have to see security as a business expense,” says Lookingglass's Coleman. “It's imperative to integrate security into every aspect of your business planning, and that extends to your entire supply chain.”