I have regular conversations with Derek Byrum, the chief data scientist at our company, where I ask him “what’s jumping out at you?” as far as cyber trends go in a particular industry sector. You see, Derek is in a unique position via his role presiding over a large-scale, analytic cybercrime data warehouse. He continually analyzes our industry-driven cyber data and identifies outliers, impact concentrations, novelty, fast-risers, nascent trends and other “birds-eye” observations.
Most recently, I asked him about the Healthcare sector, given the recent large number of breaches and overall amount of cyber activity. What made this particular conversation interesting was that his answer to my typical question didn’t focus on one particular industry or an expected trend. Instead, he began to tell me about an alarming pattern of cyber insecurity he’s observing across industry as a whole.
Supply chain cybercrime.
Derek began to rattle off one alarming statistic after another, moving from one sector to the next. Since I began by asking about the Healthcare sector, he went into a bit of depth there to analyze trends and stats from the first half of 2014:
• Over 10 million Protected Health Information (PHI) records were lost during the period
• Almost a full 15% of all data breaches in Healthcare involved some form of accidental or purposeful mishandling of information by companies other than the organization that was breached
• Over 70% of Healthcare sector breaches were actually caused by companies whose business is not related to Healthcare
• Over 70 out of every 100 data-loss instances in Healthcare is due to physical theft or mishandling of data from both inside and outside the target organization
• Business Support Services (i.e. “outsourcing”) is to blame in over 30% of data breaches in Healthcare caused by companies external to the breached organization
And the list continued, one big indicator after another of a would-be Healthcare epidemic (and potential industry pandemic).
Wanting to explore the data a little deeper, I asked him to dig a bit more into that last bullet and to qualify what “Business Support Services” really meant. For Healthcare (and many other sectors), it’s increasingly popular to outsource functions like billing, records storage and maintenance, collections, claims processing and many, many more.
While these functions are cost-efficient and help businesses achieve better velocity across many functional areas, they are also increasingly data-driven. As such, they are increasingly big, juicy targets for most types of cyber criminals, from felonious employees acting alone to coordinated cybercrime-gang, inside jobs and even all the way to state-sponsored industrial espionage.
But, for the most part, the data that Derek poured over pointed overwhelmingly to more “everyday business” kinds of threats as represented by typical business support companies found in every enterprise supply chain.
When you step back and think about it, the risks they pose are myriad and surprisingly eye-opening.
Often, not only are these companies handling your most sensitive data, but in an increasingly cloud, SaaS and service-oriented B2B world, they have access to your key internal systems, accounts on your networks, use of your hardware and software, API keys, VPN accounts, mobile and BYOD devices inside your environments and, of course, lots and lots of other valuable (and often seemingly inert) information on everything from your internal processes to your customer or sales KPIs.
As you can imagine, the risk questions begin to pile up very quickly.
• Are they practicing good information security? Are they practicing it at all?
• What protections do they have in place so they don’t infect you?
• Are they updating their systems? Is their software up to date?
• How are they storing your data?
• Are they running background checks on their employees?
• Have they been hit by cybercrime before?
• What companies in your industry have what sorts of cyber issues?
• And so on…
Even understanding the questions to ask is itself part of the problem. For most enterprises, it’s more than overwhelming simply to even tread water against traditional cybersecurity challenges. Dedicating additional time, money, people and energy to policing your suppliers is, for most enterprises, a part of their cybersecurity strategy they just don’t have the wherewithal to address.
What’s more, unlike securing web servers or installing an anti-phishing tool, the supply chain problem is so multi-faceted it’s tough to get heads and hands around. The whole problem is really not one where there are clear-cut and easily available solutions on hand. Instead, it’s more a problem and solution space that involves a variety of defenses and human processes brought together with diligence, awareness, day-in/day-out data collection, constant monitoring and more.
The good news, though, is that supply chain cybercrime is a problem space that can immediately be made much better simply by effective intelligence gathering.
For most enterprises, it’s simply a matter of bringing focus to this often neglected area. Start by putting in place inexpensive programs and processes that ensure you get to know:
• Who your suppliers are
• How insecurities in each could potentially impact your key business areas or customers
• What industries they’re in and what cyber problems they could be susceptible to
• What accesses they have to your systems, data and networks
• What authorizations, roles and permissions they have to your key data
• Who among them is getting hit by cybercrime, how and why
• How are other businesses like yours are being affected by suppliers
• Key cybercrime trends in industry sub-categories of business support services
• And so on…
Of course, continuous review, analysis and regular monitoring of this information is a must. At the end of the day, even collecting just this small amount of info regularly and diligently for your supply chain can not only help you secure your back doors, but the front entrances too.