When two companies are directly connected to each other, they need to believe that the other is doing all it can to shore up its defenses. What happens, though, when the relationship between two companies is distinctively different and imbalanced because of size. Enterprises, while often the target of sophisticated actors, have a sizable IT and security budget that allows them to build defense in depth. That’s not always the case for small businesses, which leaves them vulnerable to cyberattacks.
The US Small Business Administration recently reported, “88% of small business owners felt their business was vulnerable to a cyber attack. Yet many businesses can’t afford professional IT solutions, they have limited time to devote to cybersecurity, or they don’t know where to begin.”
Are you thinking that because you have a robust cybersecurity posture you aren’t at the mercy of the cyber defenses of your downline partners? You need only look at the large global enterprise that relies heavily on their much smaller partners and supply chain contractors. Maybe it’s a pharmaceutical giant or a global manufacturer. Maybe it’s the Department of Defense. The number of partners, suppliers and vendors with whom they do trusted businesses is dizzying. Yet in many cases, their smaller partners don’t have the same operational security as that of the larger organizations.
When the smaller organizations lack the ability to defend against or detect threats, they get compromised and the adversary uses this foothold to attack the larger target–you.
For too long, organizations have determined risk in their partners by asking them to verify that they’ve not been compromised. They send questionnaires or have platforms that organize the questionnaires, with the goal of getting their vendors and suppliers to commit to a compliance audit. This Tell me how you’re doing approach is deeply flawed for several reasons. First, it is fully reliant on that company’s awareness of its own threat environment, which may be unrealistic. Consequently, the company may not be aware of current or previous exposures and vulnerabilities that may have been exploited. Second, it assumes the company will disclose malicious activity, even though doing so may directly contradict its own business objectives. By admitting recent breaches, the company may lose its contract or be forced to undertake expensive security improvements. Lastly, a compliance audit has a start and stop date, which fails to keep pace with the ongoing threats facing that downstream partner, and it may also overlook backdoors and stealthy malware that have remained dormant.
The larger question enterprises need to be asking is how can they verify the assurances of their partners? Questionnaires and compliance checks only go so far. How do you know for sure that one of your partners is not actively compromised or that it will not become compromised six months down the line through one of its own vendors or suppliers? Companies have to think about the extended attack surface and the way infections can move through the supply chain. Your risk exposure isn’t limited to your immediate partners: it extends to third-, fourth- and fifth-degree connections as well.
If one of your downline partners or suppliers becomes infected, it’s only a matter of time before that malware finds its way to you through shared access accounts, exploitation of your own weak infrastructure, phishing, human fallibility, etc.
What you need to understand is the dynamic asymmetric nature of threats and recognize that malware–and the adversaries and APT groups deploying tools–are equipped to find ways to break patterns. They are actively looking for any weak links they can exploit in order to get access to the richest source of data, which is usually the enterprise. They are looking to get in and become part of the system–so that they don’t look like an anomaly.
Unless you have visibility into the network of your suppliers and vendors, you can’t really be certain of their assurances. The only way to verify their security is to have the telemetry in place so that you can monitor any malicious activity that reaches your supply chain.
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around