Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Supply Chain Intelligence is the Key to Locking the Back Door

I have regular conversations with Derek Byrum, the chief data scientist at our company, where I ask him “what’s jumping out at you?” as far as cyber trends go in a particular industry sector. You see, Derek is in a unique position via his role presiding over a large-scale, analytic cybercrime data warehouse. He continually analyzes our industry-driven cyber data and identifies outliers, impact concentrations, novelty, fast-risers, nascent trends and other “birds-eye” observations.

I have regular conversations with Derek Byrum, the chief data scientist at our company, where I ask him “what’s jumping out at you?” as far as cyber trends go in a particular industry sector. You see, Derek is in a unique position via his role presiding over a large-scale, analytic cybercrime data warehouse. He continually analyzes our industry-driven cyber data and identifies outliers, impact concentrations, novelty, fast-risers, nascent trends and other “birds-eye” observations.

Most recently, I asked him about the Healthcare sector, given the recent large number of breaches and overall amount of cyber activity. What made this particular conversation interesting was that his answer to my typical question didn’t focus on one particular industry or an expected trend. Instead, he began to tell me about an alarming pattern of cyber insecurity he’s observing across industry as a whole.

Supply Chain IT Security

Supply chain cybercrime.

Derek began to rattle off one alarming statistic after another, moving from one sector to the next. Since I began by asking about the Healthcare sector, he went into a bit of depth there to analyze trends and stats from the first half of 2014:

• Over 10 million Protected Health Information (PHI) records were lost during the period

• Almost a full 15% of all data breaches in Healthcare involved some form of accidental or purposeful mishandling of information by companies other than the organization that was breached

• Over 70% of Healthcare sector breaches were actually caused by companies whose business is not related to Healthcare

• Over 70 out of every 100 data-loss instances in Healthcare is due to physical theft or mishandling of data from both inside and outside the target organization

Advertisement. Scroll to continue reading.

• Business Support Services (i.e. “outsourcing”) is to blame in over 30% of data breaches in Healthcare caused by companies external to the breached organization

And the list continued, one big indicator after another of a would-be Healthcare epidemic (and potential industry pandemic).

Wanting to explore the data a little deeper, I asked him to dig a bit more into that last bullet and to qualify what “Business Support Services” really meant. For Healthcare (and many other sectors), it’s increasingly popular to outsource functions like billing, records storage and maintenance, collections, claims processing and many, many more.

Click to Enlarge

While these functions are cost-efficient and help businesses achieve better velocity across many functional areas, they are also increasingly data-driven. As such, they are increasingly big, juicy targets for most types of cyber criminals, from felonious employees acting alone to coordinated cybercrime-gang, inside jobs and even all the way to state-sponsored industrial espionage.

But, for the most part, the data that Derek poured over pointed overwhelmingly to more “everyday business” kinds of threats as represented by typical business support companies found in every enterprise supply chain.

When you step back and think about it, the risks they pose are myriad and surprisingly eye-opening.

Often, not only are these companies handling your most sensitive data, but in an increasingly cloud, SaaS and service-oriented B2B world, they have access to your key internal systems, accounts on your networks, use of your hardware and software, API keys, VPN accounts, mobile and BYOD devices inside your environments and, of course, lots and lots of other valuable (and often seemingly inert) information on everything from your internal processes to your customer or sales KPIs.

As you can imagine, the risk questions begin to pile up very quickly.

• Are they practicing good information security? Are they practicing it at all?

• What protections do they have in place so they don’t infect you?

• Are they updating their systems? Is their software up to date?

• How are they storing your data?

• Are they running background checks on their employees?

• Have they been hit by cybercrime before?

• What companies in your industry have what sorts of cyber issues?

• And so on…

Even understanding the questions to ask is itself part of the problem. For most enterprises, it’s more than overwhelming simply to even tread water against traditional cybersecurity challenges. Dedicating additional time, money, people and energy to policing your suppliers is, for most enterprises, a part of their cybersecurity strategy they just don’t have the wherewithal to address.

What’s more, unlike securing web servers or installing an anti-phishing tool, the supply chain problem is so multi-faceted it’s tough to get heads and hands around. The whole problem is really not one where there are clear-cut and easily available solutions on hand. Instead, it’s more a problem and solution space that involves a variety of defenses and human processes brought together with diligence, awareness, day-in/day-out data collection, constant monitoring and more.

The good news, though, is that supply chain cybercrime is a problem space that can immediately be made much better simply by effective intelligence gathering.

For most enterprises, it’s simply a matter of bringing focus to this often neglected area. Start by putting in place inexpensive programs and processes that ensure you get to know:

• Who your suppliers are

• How insecurities in each could potentially impact your key business areas or customers

• What industries they’re in and what cyber problems they could be susceptible to

• What accesses they have to your systems, data and networks

• What authorizations, roles and permissions they have to your key data

• Who among them is getting hit by cybercrime, how and why

• How are other businesses like yours are being affected by suppliers

• Key cybercrime trends in industry sub-categories of business support services

• And so on…

Of course, continuous review, analysis and regular monitoring of this information is a must. At the end of the day, even collecting just this small amount of info regularly and diligently for your supply chain can not only help you secure your back doors, but the front entrances too.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.