Organisations are managing a growing and increasingly complex ecosystems of partners, suppliers and vendors.
With each new digital connection there are new risks, particularly as businesses become more interconnected and share data and network access. Threat actors will often attack third parties to reach their true target, and can steal a business’s sensitive data without ever breaching its network directly. Organisations have little visibility of the risks stemming from their extended supply chain until the worst has already happened.
Even with a moderate supply chain network of hundreds or thousands of third-parties, organisations need to invest in new methods and tools to track threats and data breaches originating outside of their own perimeter.
The growing third-party risk
Cybercriminals will always seek the easiest route when planning their attack, frequently targeting smaller and more vulnerable third parties to sidestep the robust defences of larger organisations. As smaller companies increasingly use web services and cloud applications, they’re providing an enticing entry point for attackers to take aim at larger organisations: in fact according to Verizon’s DBIR, 28% of data breaches now involve small businesses.
Organisations are particularly at risk if employees reuse the same corporate login credentials to access other third-party sites. If these sites are breached, then the staff member may have inadvertently given the hackers all they need to break into their own organisation’s IT network.
They will also exploit vulnerabilities in the APIs used to integrate software tools. This was a tactic employed earlier this year when a third-party retail app exposed the data of almost eight million people. The software tool was used by small EU merchants to calculate value-added taxes for different EU countries and pulled sales data from leading firms including Amazon UK and PayPal. The data – which included names, addresses and the last four digits of credit cards – was left publicly accessible online.
Using access to partner information and systems to mount social-engineering attacks is also on the rise, with 79% of companies experiencing an increase. This kind of attack, where staff are tricked into making payments or sharing data by someone they think is a trusted party, is made all the more easy with many organisations now relying on staff who work remotely. The Ponemon Institute study also revealed that the number of businesses rating their defence posture as effective or highly effective had dropped from 71% to 44% as a direct result of remote working.
The challenge of the extended supply chain network
While organisations will never have as much control over a supplier’s security as they do their own, they can take steps to minimise risks. Security standards must be set out within service level agreements (SLAs), for instance, insisting that the third-party meets ISO 27001 accreditation as a minimum and ensuring that the supplier has a framework of policies and procedures governing information risk management processes.
Unfortunately, this approach is rare.
The UK Government’s Data Breaches Survey 2019 indicates that less than one in five businesses (18%) demanded that their suppliers have any form of cybersecurity standard or good practice guidelines in place.
The issue also becomes more complicated when the sheer scale and intricacy of the average supply chain network comes into play. A firm may have its data stolen from a company three or four connections deep into the supply chain. If the breached third-party lacks the ability to detect an attack itself, a company’s data could be in the hands of criminals for months before they are finally alerted to the breach.
Keeping data in sight
Even if a security breach originates with a third party, it will carry just as much of a financial and reputational cost as a direct attack on the organisation’s own network. Companies trading in the EU and governed by the GDPR are liable to financial penalties, which always holds the data owner responsible for any breach, regardless of where it happened.
But organisations can take steps to keep track of their own data and monitor for potential leaks or breaches, even if the source of the breach lies outside their own network.
Continually monitoring the surface, deep and Dark Web can help to find sensitive data, especially on forums where stolen data is commonly shared or sold. However, dumps of usernames, emails and passwords are often compiled from multiple breaches, so finding a specific data set and verifying its original owner can be a difficult task.
One of the best ways of achieving this is to use digital watermarking. This approach involves tagging each data set with a unique synthetic marker not found anywhere else. For example, a customer database could include a fictional individual with a unique set of details. As this marker only exists in this database, the company knows with absolute certainty when that marker shows up that the data belongs to them.
Real time alerts can inform the company when watermarked data has been leaked online so they can instantly tackle it at its source, close the breach and identify affected customers.
Even if a breach happens outside the company’s control, this capability allows the firm to handle it with confidence. They can quickly inform customers and regulators, helping to minimise the reputational fallout and potential regulatory action. Watermarked data will empower firms to stay in control no matter how vast the web of suppliers and the flow of data around them becomes.
About the Author
Jeremy Hendy serves as the Chief Executive Officer at Skurio. He brings Nujira considerable experience of semiconductor sales and marketing across multiple technologies for wireless communication and digital video. Previous positions include Marketing Director of wireless USB start-up Artimi, VP Marketing for Aspex Semiconductor, and Strategic Technology Director of Cadence’s Wireless and Multimedia business unit.
Featured image: ©Peshkov