It’s Not Me, It’s You: Your Biggest Cybersecurity Risks Are Your Partners

By Craig Burland, CISO, Inversion6

You’ve been laser focused on driving cybersecurity risk out of your organization and made great progress. Kudos, well done.  But when the threats and alerts don’t stop coming, it’s time to consider that it’s not just about you.  It’s about them too.

In our digital, interconnected world, strong cybersecurity practices have become the linchpin holding together the integrity and safety of modern businesses—equally as important as the international supply chain or global monetary agreements. Just as financial markets ebb and flow based on intricate economic ties, so too does the world of cybersecurity, affecting the multifaceted relationships businesses build with one another. Your organization is akin to a single link in a mammoth chain that spans sectors, borders and platforms.  A weak link anywhere could compromise the integrity everywhere. The unsettling reality is that, often, your cybersecurity fortress is only as impenetrable as that of your least-protected partner. So, while you might be diligent, what about your partners?

Let’s look at three recent examples:

• The Log4j Vulnerability (2021): The discovery of the Log4j vulnerability spotlighted the vulnerabilities lurking within the open-source software supply chain. Log4j, a logging library integrated into a myriad of applications, had a critical flaw that allowed malicious actors to remotely execute arbitrary code. The ubiquity of this library meant that its vulnerability exposed countless systems worldwide, highlighting how a single weak link in the software supply chain can put a vast network of enterprises at risk. The incident served as a wakeup call for organizations to reevaluate and strengthen their software supply chain security.
• SolarWinds Hack (2020): An alarming testament to the chain-link vulnerability was the SolarWinds breach. A seemingly minor weakness in the software update chain of a widely used IT management tool became a conduit for a massive cyber espionage campaign. This breach affected multiple high-profile entities, including U.S. federal agencies and Fortune 500 companies, demonstrating how a single compromised link can endanger many.
• Capital One Data Breach (2019): In this incident, a former Amazon Web Services (AWS) employee exploited a misconfigured firewall in Capital One’s operations, resulting in the exposure of data of over 100 million customers. While Capital One was the primary victim, the incident raised eyebrows about the shared responsibilities and inherent risks of using third-party cloud service providers.
• Target Breach (2013): Target’s systems were infiltrated through an indirect attack on their network — an HVAC vendor. This third-party vendor had less stringent security measures, making them an easier target. Once breached, the cybercriminals navigated into Target’s more extensive network, eventually accessing millions of customers’ credit card details.

Each of these incidents has become a critical milestone in the collective understanding of 3^rd party risk.  Target highlighted the connection between Non-IT service providers and the IT environment.  SolarWinds demonstrated an inherited infiltration, cascading risk from one entity to another.  Capital One cast doubt on our understanding of the shared responsibility model.  Log4j opened our eyes to the double-edged sword of open-source software.

Lessons from these three events can form the foundation of a solid strategy to mitigate the risk of a supply chain compromise.

1. Thorough and Recurring Vetting: Begin partnerships with a comprehensive cybersecurity assessment. Before integrating any third-party service, software, or tool into your organization, ensure that it meets the highest cybersecurity standards. Commit to reviewing those assessments on an annual basis to ensure your partners remain vigilant.
2. Manage Your Asset Inventory: Catalog and track all third-party software components in your environment, especially those that are open source. Understand their usage, dependencies, and potential vulnerabilities. Prioritize the use of well-vetted, reputable software components. When a threat does materialize being able to mitigate it quickly and surgically is vital.
3. Continuous Monitoring and Communication: Establish real-time monitoring of all interactions between your environment and your partners’ environments. This includes email, data transfers, software updates, and any other digital touchpoints. Regularly communicate with partners about shared cybersecurity threats and best practices.
4. Understanding the Power of Knowledge: While advanced software and cutting-edge hardware play their part, the heart of cybersecurity lies in the informed actions and decisions of individuals. The reason is simple: a vast majority of cyber breaches occur due to human oversight or misinformation. By ensuring that every individual is educated about the potential risks and best practices, organizations can significantly minimize these vulnerabilities.
5. Contractual Obligations and Maintenance: Include robust cybersecurity clauses in all contracts with partners. This ensures that they maintain strict security standards, and it delineates clear responsibilities and actions in case of a breach. Insist on maintenance agreements that include security updates covering the useful life of the arrangement.

As your company matures its own cybersecurity, it’s critical to recognize and ensure your partners do the same. From workforce vetting to secure development, what your partners do (or don’t do) significantly affects your overall risk. As the saying goes, “A chain is only as strong as its weakest link”. So, in your next budget cycle, instead of layering on one more security tool, invest in pulling on that chain. Assess, monitor, and educate judiciously. Your cybersecurity, reputation, and ultimately, your business depends on it.

About the Author

Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Globhttp://www.inversion6.comal Security, and Oracle Web Center. Craig can be reached online at LinkedIn  and at our company website http://www.inversion6.com.