By The #CyberAvengers
Breaches of a particular type keeping popping up on our radar: those caused by a vendor-, contractor-, or third-party-related contractor not taking “good care” of an organization’s sensitive data. The issues are endless: misconfigured software or hardware, mishandling of information, administrative privileges not locked down, you name it. All of these issues leave the information exposed to the gawkers of the Internet.
You know how this story goes: data gets stolen and the corporation’s customers suffer the consequences. Worse is when the breach happens to military contractors and subcontractors, putting the national and economic security of the country at greater risk. Some of these secrets are so valuable that their loss cannot be calculated. How do you accurately cost out a 10-, 20-, 30-year loss of a strategic advantage? You can’t.
If we’re counting cybersecurity issues we face today, we’ll quickly run out of fingers. And no pun intended, but those same fingers are one of the major issues!
Here is an issue that should be at the top of your head: vendor and supply chain cyber due diligence. When this goes badly, it's not just a potential five-alarm fire on your hands; it's a possible San Francisco Fire of 1851 if mismanaged! That’s the fire that wiped out three quarters of the city.
Quick Tips to Set Up an Early Warning System
Here are a few quick tips that set up an early warning system, giving you a chance to make sure your “cyber fire” does not get out of control:
Better contractual terms and conditions. As an example, if you are under duty to keep information pursuant to HIPPA, then so must your vendors. Or if you are a government agency and have contracted out sensitive work, you can require, as a minimum, your internal rules be followed by contractors. And of course you can add more.
Quarterly audits and assessments. Risk profiles change over time and in the cybersecurity world, risk profiles can change between heartbeats. If you are not patching your software and hardware in a timely fashion, you’re asking for trouble, but at least you can do something about it. What of your vendor though? To be blunt, there is only one real solution: be in their face and make sure their stuff is up to snuff.
“Show and Tell” visits. Nothing different than “trust, but verify.” Once a year go visit your critical suppliers and ask them the tough questions in person. It’s easy to squirm out of the tough stuff over the phone or through emails. Look them in the eye. You may be impressed by their response. You may not. But there is a lot to say for that in-person interaction.
Make the plan, test the plan. If you don’t have incident response, business continuity, and crisis communication plans, you’re in trouble. Some of you may even be required to have them by your regulators. Easy rule: if your regulator says you need to do it, you need to ensure that your vendor does it also. Yes, it’s a drag on business, but it’s what you have to deal with. Don’t like it? File a complaint with the regulator. And here’s a pro tip: if you haven’t tested your plan, you don’t have a plan – you have some paper. Seconds count in the cyber world.
More Tips for those Critical Vendors
Those were just the basics. Sometimes you need more for those critical vendors – you know, the ones that allow your factory assembly line to operate or run your direct sales department.
Consider these ideas:
Restricted Access. It’s okay to be strict about controls and ensuring the least privileged access to your networks and system. If your vendors don’t absolutely need access, make sure they don’t have it. Simple, but this can be overlooked.
Artificial Intelligence and Machine Learning. If it’s within your budget, give it serious thought. Remember: use this surgical tool to monitor anomalous behavior, suspicious activity, and odd network traffic. If you’re using it for something else, you may be getting into the creepy zone.
Design matters. Understand “product design process” before your start signing on the dotted line. Where possible, insist that projects are designed using the “security by design” methodology (reference NIST SP 800-160 [note: links opens a PDF] for more information). If you yourself are not trying to break it along the way, be sure the bad guys are.
Sharp-toothed contracts. If it matters, protect it. You are perfectly within your rights to ask your vendors to meet cybersecurity/data privacy standards, controls, policies, and procedures if they want your business. Heavy-handed penalties are completely reasonable if these conditions are not met. After all, it’s your risk profile we’re talking about.
We understand that the last point could be interpreted as somewhat controversial, but as we hinted above, costs of these breaches are not easy to quantify and these costs can easily burn through your organization, leaving it in ashes. If you’re dishing out multi-million and multi-billion contracts, then it is only fair – and right – that you require your vendors to have a top-level cybersecurity game.
This is a partial list of concerns and remedies, but we are fans of “the basics.” Get the basics right and you’re going to be ahead of most others. In fact, getting the basics right could be the difference between a small kitchen fire and one that burns down the entire house.
About The #CyberAvengers
The #CyberAvengers is a group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure.
Find them on Twitter: