“This is going to be a big one. Real big one.”
David Kennedy, former NSA analyst and cybersecurity entrepreneur, regarding NotPetya
The scale of damages resulting from cyberattacks continues to surge, and we’re naturally focused on the solutions and strategies to prevent those attacks in the first place. Part of those efforts is identifying the cause of a breach, and according to Soha, third parties are a common denominator the majority of the time. In fact, Soha’s survey showed that a whopping 63% of breaches are attributed to third parties. That means spending 80% of our cyber budgets on technology can be wasted if we aren’t careful about vetting the third parties allowed to connect to our networks.
The average company of 1,000 or more employees spends $15 million per year on cybersecurity. Google spends far more than that, yet the credentials of some of their employees who travel were recently exposed after an attack on a third-party travel provider, Carlson Wagonlit Travel (CWT). In its letter notifying employees, Google said that “an unauthorized party gained access to personal information associated with certain hotel reservations made through CWT. CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected.” Not only was a third party responsible for the exposed data, but now Google has to rely on collaboration with this third party to uncover the details and extent to which confidential information was compromised.
The first news about the recent “NotPetya” attack in Europe was breathtakingly devestating, but the reality turned out to be even worse than first thought. The attack resulted in massive financial damages, including:
- Shipping giant Maersk – $450,000,000 loss and still not completely operational
- Reckitt Benckiser – $120,000,000 loss
- DLA Piper – est. $10M in billing/day lost for several days
Causing the losses was a new strain that’s like WannaCry in some ways, but it surpasses WannaCry by having multiple built-in ways to spread. Although forensic investigations continue, NotPetya likely made its way into some of these companies through third-party relationships.
Why do organizations, like Netflix during its recent hack of Orange Is The New Black, fail to address third-party risk in a systematic way? In some cases, widely held cyber myths play a role:
- My organization isn’t a target.
- Technology will provide good enough solutions.
- Hardening the perimeter is the best place to invest.
- Our IT department has this issue covered.
The reality is, everyone is a target. Most breaches start from the inside with a phishing or ransomware attack. While perimeter defenses are important, continuing to spend 80% on perimeter technology while only 20% of breaches are attributed to inadequate perimeters is irrational. Holding IT alone responsible for these considerations while looking the other way is an unacceptable and irresponsible solution that C-suites and boards of directors would do wise to rethink.
Vetting Partnerships
What’s missing is a systematic approach to vetting third parties that connect to a company’s network. What are the elements of a good vetting program for evaluating various types of third-party relationships? Where do organizations even begin this process?
Here are five key steps as suggested by the NIST Cybersecurity Framework:
- Consider security requirements during formation of partnerships.
The organization should have cybersecurity requirements in place when establishing relationships with suppliers or other third parties. Develop and implement cybersecurity policies that apply to external partners who will have access to IT assets. These should reflect established policies for digital identities and credential management. - Select partners based on their security capabilities.
Implement a policy that limits partner selection to only those who can meet cybersecurity requirements. If a partner cannot or will not agree to cybersecurity requirements, that should have an impact on their consideration as a potential partner, and the issue should be escalated to the appropriate manager. - Create compliance standards for partners.
The organization should have external dependency management policies that include compliance requirements for specified standards and guidelines. Create specific (measureable, if possible) guidelines for compliance and ensure that the partnership process is aligned with them. - Include security requirements in partner agreements.
All contracts with external partners should contain cybersecurity requirements. Consult with legal counsel to determine which elements of cybersecurity contract language are appropriate for supplier contracts. Create policies and procedures that guide the creation of these contracts. - Negotiate for improvements with an otherwise ideal partner.
A vendor may be otherwise ideal, meeting or exceeding every business requirement, except that their security posture falls short. Negotiate with the vendor to make needed improvements in their security practices before signing, explaining that it’s in their general interest. Get a commitment before finalizing an agreement.
Following these steps when considering potential partners and those up for renegotiation can save an organization millions of dollars in damages. Don’t let these connections go unmonitored for another day, as it’s now clear how important understanding the full breadth of a company’s risk is, including the risk posed by otherwise trusted and reliable partners, to the survival and profitability of an organization.