Online attacks that come by way of suppliers and other third party business partners are one of the biggest threats that modern organizations face. But too few firms are giving supply chain security the attention it deserves, a panel of legal and information security experts told attendees at a cyber security forum in Boston on Wednesday.
Companies need to protect their exposure through third parties better, according to the panel: beefing up auditing of internal- and partner assets and including contractual protections that will indemnify them in the event that a breach at a supplier or business partner exposes data that materially affects their firm.
The panel, “Fortifying the Supply Chain,” was part of a day long event at The Federal Reserve in Boston and sponsored by the Advanced Cyber Security Center, a technology industry consortium. It brought together top legal and information security experts, including FireEye researcher Alex Lanstein and Jim Halpert, the head of the US Privacy and Security Practice at DLA Piper LLP. The panel was moderated by Gus Coldebella a Partner in the Securities Litigation and White Collar Defense Group of Goodwin Procter LLP in Washington, D.C.
Lanstein, of FireEye, said that a surprising number of the incidents of network compromises his company investigates originate at supply chain partners of the target company. “Sometimes nation states come in through the front door,” he said. “But a shocking number of breaches come via a third party.”
A typical example, he said, was for attackers to gain a foothold on a supplier network and then look for remote desktop connections like Citrix to jump from the supplier or contractor to its customer network.
And not all those attacks are targeted, Lanstein said. Many are targets of opportunity for cyber criminal groups that have come into possession of valid credentials for the target network – either directly or through a middleman selling credentials in the cyber underground, Lanstein said.
“These guys are exceptionally good at getting credentials,” he said.
Unfortunately, many companies are still ill prepared to manage such incidents, said Halpert.
Too many firms fail to adequately screen vendors that end up getting access to their network or sensitive data. And companies often fail to adequately protect themselves legally. Companies worried about third party cyber risk need to have clear expectations and prepare to negotiate – up front – to get the terms they want.
“You need security appendices for contracts that contain your ‘ask’,” Halpert said. Companies should vet more than one possible supplier and be prepared to walk away from those who aren’t willing to meet their most urgent needs.
“If you’re sharing strategic data and online credentials to your network, you need to make sure that the service provider can do their job in protecting it,” he said.
And, in an age of software as a service, firms need to closely vet and monitor their service provider agreements and update them when needed to add protections for sensitive data. “You often see companies where you have 15 or 20 entities with access to data,” Halpert said. “There needs to be some discipline in contracting.”
Coldebella of Goodwin Procter said that – over time – regulators at the state and federal level will probably make some of these “best practices” mandatory. However, events right now are running ahead of regulation.
States like California are expanding their data breach disclosure laws to put the onus on companies to inform customers when their data has been compromised – even in the absence of proof that it is being misused. And regulators like the Securities and Exchange Commission are working to strengthen breach disclosure requirements for publicly traded companies.
Still, the onus still falls on companies to vet their business partners and service providers, the experts agreed.