Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Weak Security Socializes Risk

Rather than some technical development, I was recently intrigued by something more “social” in nature, specifically the important levels of trust so many companies place in one another.

Rather than some technical development, I was recently intrigued by something more “social” in nature, specifically the important levels of trust so many companies place in one another. Even while on my recent (otherwise) blissful vacation, I couldn’t miss the news in the New York Times and here in SecurityWeek that a small company had exposed 157 GB’s of highly sensitive data from over 100 customers, including the likes of GM, Ford, Fiat Chrysler, Toyota, Volkswagen and Tesla. The exposed data trove included everything from assembly line schematics to employee VPN access information, along with the small company’s own corporate contracts, bank account details, and scans of employee passports and driver’s licenses.

Are you a trojan horse?

I’m not an economist and hardly qualified to weigh the overall costs and benefits of the accelerating interconnectedness of our modern and frequently “virtual” economy. However, I can speak with modest authority to one real and specific risk, which very obviously many businesses still must take to heart and more aggressively manage, namely the ability of a single company to cause significant damage to their vendors, customers, and partners by being the weakest cybersecurity link in whatever business ecosystem they inhabit.

Enabled by technology, and in a quest for speed and efficiency, companies grant access to corporate data and give access to all sorts of systems today with the expectation that their business partner won’t turn out to be a trojan horse, carrying hackers and their malware (and trojans…) into the heart of their business.

This is not a new problem, but anybody feeling complacent should understand that it is a growing one. As business models evolve with technology and the degree of economic interdependency keeps growing, so does the shared “supply chain risk.” A lot of discussion of this phenomenon cites the annual Ponemon Institute survey of large companies on (the very subject of) data risk due to third parties. Often quoted is the survey’s fact that the number of companies experiencing a data breach – caused by a third party – keeps rising year-to-year, with over half now indicating they have had that unhappy experience at some point.

This was, for me, important confirmation, but not a shock. The number from the study which did surprise me was the average number of companies the survey respondents said they had given access to “sensitive information” – 471! – with the median around 100. Imagine if you gave 471 friends a copy of the key to your house – you trust them all, of course, because they’re your friends (right?). But what’s the likelihood of one of them not being as conscientious as you would like?

Socializing risk

The 25 percent growth year-to-year in the number of companies with access to sensitive information also deserves attention, and I connect this rate of growth in interdependency to the growing number of “supply chain hacks” in the headlines, where a small- or mid-size firm has found itself at the center of the uproar. Among the more famous ones, there was the Target hack via an HVAC vendor employee who received an email that was carrying a system password-stealing malware attachment, the Home Depot multi-stage attack which began with stolen vendor credentials, and the Wendy’s breach via a supplier with remote
access to cash registers.

Advertisement. Scroll to continue reading.

In each case (and hundreds of others), the cost of ineffectual security fell hard on someone other than the initial victim, a kind of modified “moral hazard” problem, where one pursues risky behavior because the consequences are diluted or even transferred elsewhere. I say “modified” because I’m certain the weak links in this chain weren’t being reckless, and I believe they also suffered consequences.

But I think there is something to be said for the idea that too many businesses today continue to “underthink” and underinvest in the necessary layers of security, and therefore are, deliberately or not, guilty of socializing their risk. The fact is that many small- to medium-sized businesses are still relying on solutions they implemented some time ago – adequate for yesterday’s threats, but not our current and fast-evolving threat environment. Or, they think they can “fly under the radar” when it comes to making even a modest investment in appropriate layers of cybersecurity. Although perhaps they won’t be able to do that for much longer, as security is increasingly a factor when companies choose new suppliers.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...