Hackers hit third party service providers first
Imagine you are a unethical hacker with a beef. The company you want to hurt is a large financial services firm or some massive entity. Chances are awesome that their third-party professional services firms have way weaker security that can offer back-door entry into systems. Target Corporation recently gave us a great example of this.
Anyone doing business online today is at risk and the rules of engagement, tools and methods continue to change fast. Some readers may recall a time not too long ago when a portscan was considered an act of war. Nowadays, not even 10 years later, it's a mere handshake. It’s widely acknowledged that it’s no longer a question of if you will be attacked and compromised, but when. Some companies are more at risk than others. Some, depending on what is at stake, are selectively targeted.
Larger companies have bigger security budgets, small armies of personnel committed to security and compliance best practices, which makes for a less vulnerable target. Hackers know this, so seek out "softer" entry points, via smaller partner and contracted companies, where the likelihood for success is exponentially greater.
Law firms, accounting, management consultants, recruiters, and mechanical and technical operations contractors are targeted because of the valuable information that can be quite easily harvested from them about their clients and their clients' networks, which can provide back-door entry into larger, more valuable systems.
Most mid-range and boutique consultancies are working hard to catch up but, with the increased frequency and scope of attacks, it is more important than ever before to ensure these assets are protected using industry-standard tools and best practices.
Insurance policies offer very limited protection, typically covering only the initial impact. These policies, while an important component of a complete and adaptable business continuity plan, do not protect a company's reputation, damages or future financial impact of these kinds of disruptions to business. It would be nice if that's all it took to protect our businesses from these kinds of events but it's only a teeny tiny part of the story. There is much more to be considered in order to design a comprehensive business continuity strategy.
While many of these service providers are aware of the risks, many are still not committed to using the same degree of external and internal penetration testing, security analysis and intrusion detection systems as their clients, and sadly not with the same degree of consistency and focus.
As the number of breaches continues to rise and be more frequently reported in the media (let's face it, these things have always happened, just were perhaps more well contained) the overall awareness of these risks is rising in the public. As a result, enterprises are increasingly carrying out risk analysis on their third party professional suppliers, even establishing their own criteria that is often even more strict than many ISO standards. Most commonly, these criteria examine traffic and architecture that includes third party access to what is considered their intellectual property, including Website data and content, even into their networks, where processes and data transaction and integration may take place where sensitive or potentially sensitive data lies at rest. We are also seeing larger clients beginning to request that their professional services organizations produce proof of their data security methods to ensure with greater confidence that best practices are being followed every step of the way.
For customers, an easy test of how serious suppliers are about security is this: ask if they have two-factor authentication strategies in place. If the answer is a most common, "Oh, that's such a hassle, we haven't been able to get anyone on board with it," then you may need not bother to ask about network authentication and data encryption. It raises serious questions about whether or not you should provide that supplier with access to anything at all, even email with confidential information in the clear.
One thing we can be certain of in security is this: by the time incidents become public and a topic of conversation in the media it has trickled down from zero-day exploits, experimental and limited-focus attacks, to much more commonly known methods and thereby more widespread in both scope and impact.
If you’re providing data on behalf of and/or to clients, and it is market-critical or confidential, it's a great time to review security best practices. It’s always sensible to check what security reporting you are able to provide clients with to verify your security procedures are succeeding at least as much as due diligence. For professional services providers, this is an opportunity for those who are doing their best in that to differentiate themselves from many others who currently do not.