You aren’t on your own in cybersecurity, but you should act like you are
By Gregory Hoffer, CEO, Coviant Software
Cybersecurity management is a dynamic process. There is no “set it and forget it.” Things move fast, conditions change constantly, and often the things that change happen beyond your control or notice. For organizations heavily invested in cloud services, the applications and computing instances you rely may change moment-to-moment. It’s hard to keep up.
Modern IT infrastructure is a mélange of on premises and cloud, hardware and software, owned and subscribed, in-house and third-party, fixed and ephemeral. And even if you have a handle on monitoring your IT estate, you’ve still got to pay attention to conditions affecting your direct and indirect partner relationships. The recent SolarWinds breach was a reminder of the ways criminal hackers can exploit weaknesses in the digital supply chain to work their way into target networks. But there is another threat that can take advantage of vulnerabilities in third-party systems and relationships that does not get the attention it deserves.
The high-tech industry changes quickly. Innovators come on the scene with new ways to solve old problems and, with the backing of venture capital, aggressively work to build market share. Mid-market players merge to create momentum. Large companies buy startups to add capabilities without incurring undue risk. Stockholders, founders, and venture capitalists, all eager to make money on their investments, push for deals that will turn them a profit, disrupting markets and often creating chaos for customers.
Wall Street tracks these mergers and acquisitions. When a public company is involved in the deal, it can affect stock prices and so it’s important for portfolio managers to pay attention. Industry analysts track these moves in an effort to provide guidance to clients who want to know what it means for them. Hackers pay attention to these developments, too. M&A activity often affects the security posture of organizations that are users of the technology or applications involved.
After a company has been acquired, major changes to the product typically follow. That can mean products that are redundant to the acquirer’s catalog are killed and the customers migrated to the incumbent, or customer service and support teams that had developed detailed institutional knowledge of their users are not retained and the responsibilities shifted to new personnel or even outsourced. That can result in vulnerabilities that go undiscovered, unpatched, and exploitable.
When disruption affects products that organizations rely on to keep data safe, the implications can be serious. The managed file transfer (MFT) industry, where Coviant Software operates, is one such example. MFT products are a foundational element in data management and security programs, and their essential role is reflected in an annual growth rate of over 10%, and market value that will exceed $3 billion by 2026, according to Global Market Insights. That value has attracted M&A activity resulting in industry consolidation, with a number of key players getting purchased by larger organizations.
In one case, a twenty-year-old file transfer appliance in wide use got caught between the obsolescence of its operating system and the release of its newly designed replacement. Hackers took advantage of the lapse and breached a number of well-known companies, including the Kroger supermarket chain and Royal Dutch Shell, operator of Shell gas stations. According to TechRepublic, the appliance was left vulnerable to exploitation by a common SQL injection attack, and while it is hard for an outsider to know the details of any data breach, experts familiar with the situation suggest that resources and attention were shifted from the legacy product to the replacement. Meanwhile, the operating system’s maker ended its support of the product, and so patches were not being written and distributed.
Poor communication and coordination seem to be the common thread in the breaches that resulted, prompting one security expert to recommend to TechRepublic that organizations “do a closer analysis of any legacy/near-end-of-life products which may no longer be receiving the expected vulnerability testing efforts.”
Sometimes M&A activity can have security implications on a scale well beyond the product level. Consider the scenario hospitality giant Marriott International faced after acquiring the Starwood Hotel chain. What Marriott didn’t know was that Starwood’s IT systems had been compromised by hackers before the acquisition took place. In this case the hackers laid low, choosing to passively monitor their victim for many months and so the breach went undetected. After the two organizations were integrated, however, the hackers began siphoning off data, resulting one of the largest breaches of consumer data to date.
While customers might expect to be informed of major changes to the products and services they use, it doesn’t always happen, and so the responsibility is ultimately on the enterprise to take ownership of their own security, even if that means assuming that any component, software, or application that it does not have complete control over is likely already compromised. From there, the organization must exercise diligent, continuous testing of all systems in order to ensure changes in status are detected, security gaps are identified, and proper action is taken to close those gaps quickly.
It can be easy to think that, because a vendor or service provider markets their offerings on security, you don’t have to worry about it. But as the lessons of cybertheory tell us, organizations can’t rely on others to address their data security needs. Trust not in third-parties. Do your due diligence when making purchasing decisions, and keep the conversation going. Pay attention to changes and, if one of your partners or vendors is involved in any market deals—directly or indirectly—find out what the implications are for your organization.
Vendors and service providers should regard their customers and subscriber relationships as more than merely transactional. But just because you’ve invested your trust in them doesn’t mean they will continue to earn that trust. No organization is perfect; adversaries are counting on it.
About the Author
Gregory Hoffer is CEO of Coviant Software, maker of the secure, managed file transfer platform Diplomat MFT. Greg’s career spans two decades of successful organizational leadership and award-winning product development. He was instrumental in establishing ground-breaking technology partnerships that helped accomplish Federal Information Processing Standards (FIPS), the DMZ Gateway, OpenPGP, and other features essential for protecting large files and data in transit.