It’s become a cliché in the information security world because it is true: You’re only as secure as your weakest link.
Unfortunately, it’s true even if that weakest link isn’t part of your own organisation. If a third party with access to your systems—contractor, partner, supplier—gets breached, well then, you’ve been breached too.
Supposedly, anybody who hadn’t been aware of that prior to 2014 got the proverbial wake-up call then, after megaretailer Target’s point-of-sale (PoS) systems were breached because hackers had penetrated a third party—an HVAC contractor—via malware delivered in an email.
That enabled the compromise of 41 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.
But awareness apparently hasn’t led to more rigorous security, at least on average, throughout organisations’ information ecosystems. Several examples of that depressing reality came just recently, in which compromises of software vendors led—predictably—to outages or breaches of their downstream clients.
One compromise caused the disruption of data communication services at four major U.S. interstate gas pipeline companies.
Bloomberg reported that Oneok, Inc., Boardwalk Pipeline Partners, Energy Transfer Partners, and Eastern Shore Natural Gas had to discontinue using their electronic data interchange (EDI) system for communicating with customers after a third-party service provider, the Latitude Technologies unit of Energy Services Group, was breached.
Another compromise, which happened last fall but just recently became public, was a breach of online services provider 7.ai, which resulted in payment card breaches of Delta Airlines, Sears, Best Buy, and likely other major companies, exposing customer data.
And those are not anomalies. They are part of a trend. The Ponemon Institute’s 2017 Data Risk in the Third-Party Ecosystem study found that 56% of respondents had been affected by a third-party data breach—up from 49% the previous year.
Which raises the obvious question: Why? It sounds a bit like homeowners handing out keys to their front door to every contractor who works on their property (plumbing, heating, or even the kid who mows the lawn) without doing a background check on them—even after one of their neighbors gets his house cleaned out by thieves.
One possible answer is that the relative costs of breaches—especially the very high-profile ones that put companies into the news for all the wrong reasons—aren’t painful enough long-term to prompt a major security overhaul.
Target is an example—the breach didn’t cut significantly into the company’s bottom line.
The estimated total loss was somewhere in the $250 million range, but Benjamin Dean at the School of International and Public Affairs at Columbia University did the math in 2015 and concluded that insurance and tax write-offs whittled that down to about $105 million, or less than 0.1% of the company’s $71.3 billion revenue in 2014. Target revenue increased to nearly $73.8 billion in 2016 but then dropped to $69.6 billion in 2017. But that was likely due more to factors like competition from that major river in South America than to a breach from four years earlier.
As Dean put it, “The financial incentives for companies to invest in greater information security are low.”
Another factor could be what Synopsys VP of marketing Jim Ivers noted in a recent column: breach fatigue. He cited a recent notice from the U.K.’s Government Communications Headquarters (GCHQ) that the country had been hit by 796 cyber attacks in 457 days.
Which is probably more than enough to eliminate any shock value, not only for the general public but even for organisations at risk. Another day, another couple of breaches. What else is new?
James Robinson, vice president of third-party risk management at Optiv, said yet another factor could be the complexity of third-party relationships.
“The definition of third party for most is either very narrow, as in IT, or very broad in the case of the business,” he said.
“The challenge of scope, control, and focus, combined with the scale and complexity of engagement, causes most organisations to have lack of ownership and oversight.”
Another trend, he said, is that clients are also considered a third party, “which is something even the highest of high-tech organisations struggle with.”
And James Paul, managing director at the Synopsys Software Integrity Group (SIG), said another factor is that organisations are “much more connected in areas that have traditionally not posed a technical threat.”
“The increasing pressure on profit margins caused in part by companies like Amazon changed the game, making organisations like Target and their suppliers look for creative ways to reduce cost,” he said. “Better control of the HVAC systems in 1,700 stores might create tangible cost savings in an industry where margins are razor thin.”
Not to mention that just keeping track of third-party relationships—especially in a large organization—can get very complicated. Some of them “could easily have 20,000 vendors,” Paul said. “They could have upwards of 1,000 that have some level of risk management requirement.”
Whatever the reasons, and whatever the perception of the costs, they are much more significant for the average organisation than for a retail giant like Target, where the net cost per record compromised was less than $2.
Ponemon found in its 2017 Cost of Data Breach Study that the average cost per record compromised was $141—down from several years earlier but still vastly more per record than the Target breach.
Larry Ponemon, chairman and founder of the institute, said in an interview about an earlier report that it is all about context. The survey covered only breaches that ranged from 5,000 to 100,000 records compromised, because that is the range for the vast majority of them.
That leaves out the multibillion-dollar companies that get the most headlines when they get breached. But the costs “do seem to flatten out at around $17 per record” once the number reaches into the millions, he said.
“These mega-breaches are rare,” he said, “so they tend to skew the results.”
Another cliché in the information security world is that there is no such thing as a silver bullet. But that doesn’t mean organisations are helpless. There is plenty they can do to remove themselves from the “low-hanging fruit” category.
“Organisations need to make third- and fourth-party security part of their overall program,” Paul said. “They need a good definition of their risk tolerance and resulting requirements for vendors.”
And he said that along with awareness of the ongoing risks, there is a measure of progress on that front. “There are new firms launching software systems with goals of being almost like a vendor clearinghouse—like a Dun & Bradstreet for vendors,” he said. “I think there is a lot of momentum here because of the tremendous amount of wasted cost. That said, I am not sure anyone has the right model yet.”
Robinson said it will take a shift in priorities—putting security ahead of cost. “Most organisations first look at spending with a third party, which should be a small factor,” he said. “The amount and type of information, as well as the connectivity or access of the third party, should be top priority, along with the criticality of the services provided.”
Another thing that could get the attention of both organisations and their third-party supplies is liability. It can get costly to either fight or settle class action suits.
There have also been calls for government regulation—there are a number of bills pending in Congress that would attempt to improve cyber security through mandatory standards, although none of them has made it out of committee.
But Paul is dubious that such a move would be effective anyway. “Regulation is almost always a bad idea in high tech,” he said. “The government has no ability to keep up with the firms they are trying to govern.”
And he said organisations are working at third-party security without the hand of government on them.
“The landscape is changing,” he said. “It’s gone from near nothing to where all of us make every vendor fill out security questionnaires.”
Taylor Armerding, Senior Infosec Writer at Synopsys
Image Credit: Maksim Kabakou / Shutterstock