When thinking about cybersecurity, most organisations focus on their own risk — how to ensure their systems, people and processes won't let them down in the event of a cyber attack.
However, many organisations don’t realise that even though their own security might be in good shape, attackers will always look for another way in.
One of your customers’ suppliers may just be the gap they are looking for.
HOW CYBER ATTACKERS TARGET SUPPLIERS
So, how can a company’s supplier, a third-party organisation it works with and trusts, be a risk to your customer's business?
As always, attackers are looking for the weakest link to gain access to data or a network environment. They know that most organisations use a host of smaller suppliers to provide services, and they are therefore looking for the one that has the worst security, and the best access to your client’s systems.
This ‘Trojan Horse’ approach has been very successful for attackers in the past and continues to be used today.
At the peak of the Christmas shopping season in December 2013, we saw a breach through a third-party supplier that had both immediate and far-reaching repercussions for the company that was hacked.
GAINING LEGITIMATE ACCESS
In the US, Target was breached, with more than 70 million customer records and 40 million credit card credentials stolen by hackers. This was a big deal at the time (although today we see much bigger breaches) but gained particular focus for the way the breach was carried out.
The attackers gained legitimate access to the Target environment before carrying out their attack through the company's heating, venting and air conditioning (HVAC) supplier.
They did this by stealing the credentials this company used to gain access to Target’s network through an external vendor portal. They were able to do this because the HVAC supplier did not have adequate security protocols in place to stop this from happening, and so Target was left holding the bag.
THIRD-PARTY BREACHES ARE RIFE
Such third-party breaches show no sign of slowing down. In 2017, over 50 per cent of organisations had experienced a third-party breach, up 7 per cent from the previous year.
And in 2018, we continued to see more of these types of attacks. The most famous (and largest) was the Cambridge Analytica attack on Facebook. In this attack, Cambridge Analytica was a genuine user of Facebook’s system, and seemed to be legitimately gathering data.
It then used this position to gather more data than it had the right to, even scraping information from pages of friends of the users the company was targeting.
THE FACEBOOK CASE
Using this method, Cambridge Analytica gathered data from more than 87 million users, and then on-sold this as marketing material to a number of customers. Again, while Cambridge Analytica was eventually shut down, it is Facebook that has suffered in the media following this breach.
In 2018, these types of attacks have included The Perth Mint, British Airways (affecting 380,000 passengers), Blue Cross Blue Shield and the University of Louisville.
The Wegmans supermarket chain lost over $900,000 when dealing with a Chilean seafood company that was used by hackers to infiltrate Wegmans’ email account and redirect payments.
THE IMPACT IN NEW ZEALAND
What most customers ask us when they read these headlines is, how can this affect my business, and what can the impact be?
New Zealanders are increasingly realising that being geographically isolated from the rest of the world doesn’t mean that we are safe from these types of attacks.
As many organisations use local as well as international suppliers, the potential attack surface for hackers is constantly growing.
For New Zealand, the fact that we are a country of small businesses makes us a prime target — many small companies don’t have the knowledge, focus or resources to make sure they are secure, and many think that because they are small, they will not be a target.
AWASH WITH RANSOMWARE
This is not the case, and as we have seen in the past, this makes New Zealand incredibly vulnerable to attacks. In 2016 New Zealand was awash with ransomware, with many small businesses falling victim to these email attacks.
The same approach is often used by attackers when trying to find a weakness in a small company to see if they can reach a larger organisation — particularly sending malware through emails, or gaining access to the supplier’s network in order to jump to the larger organisation’s infrastructure.
This can even be done in a way that it may take some time before the crime is even noticed, increasing the potential damage that the attackers can inflict.
HOW TO HELP YOUR CUSTOMERS MANAGE RISK
So, is there anything you can do about it? Absolutely! The first thing is to help your clients identify their level of risk.
Do your customers have third party suppliers? Who are their suppliers? What level of access do suppliers have into your customer's networks, or what level of trust is there between your customer and their suppliers?
For example, is your customer likely to open an email from specific suppliers without checking the attachments?
Once customers know who their third-party suppliers are and what threat they might pose, you will need to advise them to approach these suppliers to discuss their current security posture.
A number of organisations now use a checklist for third-party suppliers to ensure they have some basic cyber security in place but advise your customers to decide what works best for them.
BASIC, COST-EFFECTIVE HYGIENE
As third-party organisations may often be quite small, becoming compliant to a global standard (such as ISO2701) may be unrealistic.
But they can still follow some best practice security hygiene at very little cost. This might include items like:
- running an up-to-date antivirus
- installing the latest version of operating systems
- updating and restoring data back-up regularly
- implementing a strong password policy, including the use of two-factor authentication
- educating staff about cyber security
There are also some excellent guides available online for security such as from CERT and the ASD Essential 8.
The security of your clients is only going to be as good as the people and organisations that access them. Do all you can to keep their data safe.
Peter Bailey is General Manager, Aura Information Security, in Wellington, New Zealand. He is a speaker at the 2019 Cyber Risk Management Seminar.