I was fascinated to read the New York Times story by Nicole Perlroth, about how hackers and cyber-spies are gaining entry to corporate databases through company third parties who have weak or no security of their own.
Back in the day, before it was considered politically incorrect, we used to talk about building a “Chinese Wall” to prevent access to information by those who shouldn’t be allowed to see it. So, the part of the article that really caught my eye, and dropped my jaw, was the lead about hackers who got into the data systems of a large oil company by installing malware in the online menu of a Chinese restaurant that was frequently browsed by the company’s employees.
The malevolent code was downloaded by the employees and then it created a window into the previously secure information the company had worked hard to protect.
Equally stunning were the article’s revelations that the Target breach was based on access gained through software controlling the cooling system, and that entry was also gained by security researchers into databases at a Google headquarters in Australia through software installed by the building management vendor to control ventilation, lighting, and video cameras.
Sounds more like the script of a great corporate thriller than real-life, doesn’t it? But it is today’s reality and who knows what tomorrow will look like.
As we become more and more comfortable with using the Internet for just about everything, connecting vendors to our databases so that they can serve us better and faster, and not only allowing, but encouraging employees to use their own devices, we also need to begin to think just like the writers of Hollywood crime capers and imagine what we think is unimaginable.
The fact of the matter, though, is that none of this is unimaginable, at least not by the perpetrators or the security experts. Something between one-third and two-thirds of information security breaches (depending on who you ask) involved third party suppliers last year, and the creativity of finding a way in seems to be growing every day.
Part of the problem has to do with focus or lack thereof. When we talk about managing our third parties, often we are hyper-focused on issues such as reputational damage or liability that we might face if they engage in bribery or corruption. Or we are worried about interruptions to our supply chain. Both of these are valid concerns, but does that mean we should just ignore the huge security risk presented by allowing a vendor with old, easily hacked, systems to connect to our own systems, just so they can do a better job of keeping our vending machines filled or adjusting our thermostats?
And what about revisiting our priorities? Companies have big IT budgets, but just how much (especially in customer facing industries like retail) goes to protecting the customers’ information rather than analyzing and marketing to their buying patterns? Not enough I suspect.
Last but not least, we have the problem created by establishing siloed operations of IT, risk, and compliance. Maybe, just maybe, if there was better communication about the risks presented by taking a short cut to designing networks that allow third party systems to “talk to” security critical systems such as HR and accounting, better designs would be implemented. They might take a bit longer to design or cost a bit more, but only in the short term. And maybe, just maybe, if IT personnel were appropriately trained to report and react to red flags that may indicate a security breach, and disciplined when they fail to act, there would be a timely opportunity to take preventive or remedial action.
Instead of letting all of our third parties’ systems talk to our own, it looks like it’s time for our IT and our governance, risk, and compliance (GRC) personnel to spend more time talking with each other. Only then can we determine our own fortune and stop the cookie (yes, pun intended) from controlling it for us.
Wondering where to start? Use the OCEG GRC Capability Model (Red Book) as a guide.