Ecosystem risk: What it is and why it matters

WannaCry happened, what now?

In the days following the global WannaCry attack, the UK was flooded with news about the emergence of the attack, it’s impact, and what to do for those who were hit with this ransomware. It was the hot topic in boardrooms and of IT team debriefs. But now as the days continue to pass, the shock begins to fade, and even the most well-intentioned, long-term thinkers are once again forced to prioritise day-to-day operations over developing an effective solution to WannaCry, or any attack for that matter.

Taking a step back from all the technical reasons WannaCry succeeded, we’re forced to recognise the bigger problem: the reason any attack succeeds is that some organisations think they know the cybersecurity threats that are out there- they don’t. (Of course, we don’t blame them. With thousands of different alerts to keep an eye on, a growing number of tools to monitor, and a plate full of other responsibilities, getting a holistic view of the most imminent threats seems like an impossible task.)

So, who cares if a few companies in London aren’t prepared? You should.

Risk doesn’t pay attention to legal boundaries or care about the fact that you’re in a different company in a different part of town. A bad breach for one player in the ecosystem affects the health of the whole ecosystem, and the only real way to fix the problem is for all the players to collaborate to mitigate security risks before a breach occurs.

Ecosystem risk explained

Ecosystem risk is this moment:

You (the responsible good gardener) wake up every morning and diligently take the time to set up, maintain, and monitor your beautiful garden. You spend hours on end researching the right fertiliser to use, you peer out into your garden every chance you get, and you’ve even chased away a rabbit or two. Then one day, your neighbour’s garden hose springs a leak. Both of your gardens flood, and you lose your lovely petunias.

So we’re simplifying it bit, but you get the idea. Hopefully, you also understand why it’s in your best interest to keep tabs on how your neighbour is tending to his garden.

If any individual company monitors the security posture of the members in its ecosystem, suddenly that company feels far more confident about the security of its own assets. Even better, if more and more companies participate in alerting the other companies in their ecosystem to security issues, everyone is informed and can take action to fix the issue.  The weak links in the ecosystem are now not only alerted just one time (by their paranoid neighbour) but instead are besieged with multiple alerts pressuring them to promptly address the problem, ultimately reducing their own risk and also that of the ecosystem.

This isn’t a completely novel concept though. There’s been an uptick in efforts to provide cybersecurity resources to help the UK community manage cyber risk, such as the GCHQ’s National Cyber Security Centre initiative established by the Queen. SecurityScorecard recently established a partnership with the London Digital Security Centre, a joint venture by the Mayor of London, the Metropolitan Police and City of London Police, aimed at fulfilling this same goal for the London community. 

A call to action for all small and medium businesses

When we say all the players should collaborate, we mean “all.”  It’s a misconception that only big business should worry about security. For example, the frequently referenced, infamous Target breach occurred because a small HVAC vendor was compromised. Plus, hackers are targeting smaller companies to gain access to large enterprises.

For small and medium sized businesses, spending time collaborating to build a healthier ecosystem, when each employee is usually wearing two or three different hats at the organisation, could seem like wishful thinking - that’s when a security ratings tool comes into play.

A security ratings tool is a relatively new category of information security solutions that provides organisations with a detailed and continuous assessment of their security posture and their third-parties’ security posture. These tools were created in response to organisations being under constant threat by malicious hackers who are looking to steal sensitive information, and disrupt an organisation’s productivity, profitability, and reputation. They provide an independent and measurable overview of the risk of any company within an ecosystem.

Small and medium organisations arguably need these tools even more than large enterprises, simply because they don’t have the time or the money to afford an alternative. They might not have the subject matter experts they need in house to gain control of the cybersecurity sphere, and it may make little operational or business sense for them to invest in these resources. A SaaS tool that gives them access to the expertise can help them understand the risk that they take on, either directly or through the third parties they use.

For the small and medium businesses who think that this kind of investment is too costly or unnecessary, as we like to say, “fixing a toothache is cheaper than getting a root canal.” In other words, spending some money investing in a tool that can assist with detection and prevention is better than having to shell out money in the event of a breach. Plus, a breach at a smaller organisation can be even more lethal, because unlike at a large enterprise, there may not be a cash reserve available to pay out lawyers, deal with fines, and manage the reputational impacts of a breach.

What if we had already been thinking of ecosystem risk? 

So, if we had been in a world where all the members of the ecosystem collaborated, encouraged information sharing, and encouraged issue remediation, would WannaCry have gone differently?

The honest answer is no one knows. But we do know that in such a world, the bar would certainly have been higher for hackers. With each member of the ecosystem working together, we have the opportunity to more easily identify shared risks, shine a light on single points of failure, and ultimately have a chance to employ risk mitigating actions earlier.

Dr. Aleksandr Yampolskiy, CEO and co-founder, SecurityScorecard
Jasson Casey, CTO & SVP Engineering, SecurityScorecard
Image Credit: Andrea Danti / Shutterstock