Rather than some technical development, I was recently intrigued by something more “social” in nature, specifically the important levels of trust so many companies place in one another. Even while on my recent (otherwise) blissful vacation, I couldn’t miss the news in the New York Times and here in SecurityWeek that a small company had exposed 157 GB’s of highly sensitive data from over 100 customers, including the likes of GM, Ford, Fiat Chrysler, Toyota, Volkswagen and Tesla. The exposed data trove included everything from assembly line schematics to employee VPN access information, along with the small company’s own corporate contracts, bank account details, and scans of employee passports and driver’s licenses.
Are you a trojan horse?
I’m not an economist and hardly qualified to weigh the overall costs and benefits of the accelerating interconnectedness of our modern and frequently “virtual” economy. However, I can speak with modest authority to one real and specific risk, which very obviously many businesses still must take to heart and more aggressively manage, namely the ability of a single company to cause significant damage to their vendors, customers, and partners by being the weakest cybersecurity link in whatever business ecosystem they inhabit.
Enabled by technology, and in a quest for speed and efficiency, companies grant access to corporate data and give access to all sorts of systems today with the expectation that their business partner won’t turn out to be a trojan horse, carrying hackers and their malware (and trojans…) into the heart of their business.
This is not a new problem, but anybody feeling complacent should understand that it is a growing one. As business models evolve with technology and the degree of economic interdependency keeps growing, so does the shared “supply chain risk.” A lot of discussion of this phenomenon cites the annual Ponemon Institute survey of large companies on (the very subject of) data risk due to third parties. Often quoted is the survey’s fact that the number of companies experiencing a data breach – caused by a third party – keeps rising year-to-year, with over half now indicating they have had that unhappy experience at some point.
This was, for me, important confirmation, but not a shock. The number from the study which did surprise me was the average number of companies the survey respondents said they had given access to “sensitive information” – 471! – with the median around 100. Imagine if you gave 471 friends a copy of the key to your house – you trust them all, of course, because they’re your friends (right?). But what’s the likelihood of one of them not being as conscientious as you would like?
The 25 percent growth year-to-year in the number of companies with access to sensitive information also deserves attention, and I connect this rate of growth in interdependency to the growing number of “supply chain hacks” in the headlines, where a small- or mid-size firm has found itself at the center of the uproar. Among the more famous ones, there was the Target hack via an HVAC vendor employee who received an email that was carrying a system password-stealing malware attachment, the Home Depot multi-stage attack which began with stolen vendor credentials, and the Wendy’s breach via a supplier with remote
access to cash registers.
In each case (and hundreds of others), the cost of ineffectual security fell hard on someone other than the initial victim, a kind of modified “moral hazard” problem, where one pursues risky behavior because the consequences are diluted or even transferred elsewhere. I say “modified” because I’m certain the weak links in this chain weren’t being reckless, and I believe they also suffered consequences.
But I think there is something to be said for the idea that too many businesses today continue to “underthink” and underinvest in the necessary layers of security, and therefore are, deliberately or not, guilty of socializing their risk. The fact is that many small- to medium-sized businesses are still relying on solutions they implemented some time ago – adequate for yesterday’s threats, but not our current and fast-evolving threat environment. Or, they think they can “fly under the radar” when it comes to making even a modest investment in appropriate layers of cybersecurity. Although perhaps they won’t be able to do that for much longer, as security is increasingly a factor when companies choose new suppliers.