In mid-December 2013, American consumers were surprised to learn that a national retailer, Target, had become the victim of a massive data breach through a third party. As more details emerged, consumers found out the breach affected an estimated 110 million shoppers. Attackers were able to install a data-stealing piece of software, BlackPOS, on Target's point-of-sale (POS) systems and stole credit and debit card data. The scope of the data loss also extended to include individuals' names, as well as home and email addresses.
Following closely on the heels of the Target breach, Easton-Bell Sports, Bright Horizons, several major hotel chains and Bell-Canada also announced that their systems or data were compromised. Even more surprising, all of the compromised organizations had at least one thing in common with Target – the breaches had occurred by exploiting weaknesses in the systems and processes of a third-party business partner.
The lesson to learn from this recent bit of history is that companies must evaluate the security posture of their business partners and extend security monitoring to include their entire ecosystem. Without a more rigorous level of third-party risk management, companies are blind to changing risks and can be slow to detect incidents increasing their risk of a breach through a third party.
Unfortunately, current methods to evaluate these risks are inadequate and cannot contend with rapidly evolving cyber security threats. Traditionally, third-party risk assessments have been performed through questionnaires, on-site visits and network penetration testing. For the most part, these assessments are based on a single point in time and are infrequently, if ever, revisited.
Given the open and interconnected nature of the internet, there is a tremendous amount of information that one can learn about the security effectiveness of an organization by simply observing and analyzing the vast amount of data available from outside the organization itself. Although this type of data does not necessarily equate to identification of data loss, it undoubtedly indicates that an organization has been less effective in thwarting attackers' efforts to access its resources and, therefore, has a higher risk of such loss. The longer those computers are under the control of an external adversary, the more opportunity attackers have to steal sensitive data; or in Target's case, move laterally within the cyber supply chain to partners. These billions of data observations, as perfunctory and imprecise as they may be, weave together over time and coalesce into key risk indicators. Risk indicators that were once infeasible are opening up new possibilities for how to measure and manage risks in within the business cyber ecosystem.
Clearly no one can guarantee that their organization will never be breached. Securing and managing the risks to an enterprise has proven especially difficult – particularly in our hyper-connected business world. However, there are at least three things companies can do today to fight against the breaches of tomorrow. First, cyber security must become an executive-level issue and be part of major business decisions. Second, companies should leverage new technologies to build good models that assess risk throughout the ecosystem – suppliers, payment processors, etc. And lastly, companies must continuously measure and monitor cyber risk as threats are constantly evolving. Adapting to new technologies and continuing to monitor risk throughout your ecosystem may keep you a step ahead of the next major breach. In fact, it may even save your business.
Stephen Boyer is CTO and co-founder of BitSight Technologies. Previously, he was president and co-founder of Saperix.