Enterprise-level businesses are increasingly putting pressure on their suppliers, large and small, to demonstrate due diligence in their cyber-security. Given the growth in volume and sophistication of cyber-attacks, it is hardly surprising.
For the supply chain partner, large and small, this poses a real challenge. What should happen when the questionnaire hits the desk of a chief technology officer asking him or her to confirm all the steps their company is taking to keep data and communications secure? Will they be able to complete it to the satisfaction of that strategic customer? If they do not, they may well find their business is no longer regarded as fit to do business with because it presents too big a security risk.
Whether it is in recruitment, accountancy, law or catering supplies, the trusted relationship in the supply chain is now under threat, with failure to demonstrate accountability, compliance and effective reporting a key factor in decisions about who does business with whom.
The usual layers of security no longer cut it and with the EU General Data Protection Regulation coming into effect in just over 18 months' time, organisations need to start putting their respective houses in order. This means measurable and reportable intelligence about not only their own, but also their partners' and suppliers' cyber-security practices.
Innovation, implementation of policy and a strong and sustained focus on the critical and most vulnerable areas of security are key to staying one step ahead of the attacker. The question is, do enough businesses understand the nature of the threats and what is required to defeat them? Are they able to provide demonstrable reporting to the satisfaction of their legal department when completing supplier cyber-security questionnaires?
The danger of complacency
Despite the number of high-profile and damaging data leaks that occurred around the globe last year, many businesses are still complacent about security. For many, security is still a matter of out-dated perimeter security that completely ignores the area where most danger now lies – in file-based malware attacks delivered in email attachments. These attacks using common file-types such as Word, Excel, PDF or PowerPoint now account for 74 percent of successful data breaches.
Perhaps businesses will sit up and take notice after one of the companies hit last year – TalkTalk – was back in the news this month (October), fined £400,000 for allowing the details of nearly 157,000 customers to be stolen by hackers.
For any business with supply chain partners, it is no longer good enough to claim that targeted attacks cannot be prevented and to assert that post-infection detection and response with anti-virus software is solely the answer.
Technology that works
Among enterprises at the top of the supply chain, it is increasingly understood that the only effective solution that will provide impregnability against this deliberate corruption of email-bound documents lies in file-regeneration technology.
An automated solution utilising this capability disarms malicious files, producing a benign version referenced against the manufacturer's original standard, checking it right down to byte level instead of just looking for active content in the body of the document. A sanitised file is regenerated at sub-second speeds and passed on to users in real-time to maintain business continuity.
The technology protects organisations against even the smallest and most subtle alterations in file structure, detecting for example, where criminals have changed just two bytes in a PDF file to crash the reader software in order to trigger malware or hidden exploits. This type of attack is simply not visible, or stoppable, without such document regeneration software.
This a technology that also sanitises outbound emails, using the same techniques to ensure that no business is ever held responsible for the potentially catastrophic consequences of infecting a supply chain partner or client. Reliance on encryption and digital signature-based security may reduce some of the risk from third-party interception, but it will not prevent an organisation from unwittingly delivering an infected file, since hackers are now adept at using delayed-action embedded code or structural manipulation, in combination with clever use of social engineering.
Fit to do business with
Besides eliminating known and evolving threats, one of the great benefits of file-regeneration is that it puts organisations back in control, deciding who should receive specific file content as part of a broader security and risk management strategy. Crucially, it also provides supply chain partners with the evidence that their organisation has adopted the solution that is known to be effective against file-based threats – by far the most common origin of cyber-attacks.
The overall outcome is that organisations can send and receive emailed documents, transfer files or share and access cloud file stores with and from customers, partners and suppliers in full confidence and in turn are regarded as safe to do business with.
It is clear that only the kind of genuine innovation to be found in file-regeneration solutions will give organisations this watertight and demonstrable level of security. In the face of so many emerging threats it is vital that the CTOs and CISOs throughout the supply chain recognise this important fact in the ongoing battle against cyber-crime.
Contributed by Chris Dye, VP marketing & communications, Glasswall Solutions