If your vendor is breached, you are too
If your vendor is breached, you are too
It's become a cliché in the information security world because it is true: You're only as secure as your weakest link. Unfortunately, it's true even if that weakest link isn't part of your own organisation. If a third party with access to your systems – contractor, partner, supplier – gets breached, well then, you've been breached too.

Supposedly, anybody who hadn't been aware of that prior to 2014 got the proverbial wake-up call then, after mega-retailer Target's point of sale (PoS) systems were breached because hackers had penetrated a third party – an HVAC contractor – via malware delivered in an email. That enabled the compromise of 41 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.

But awareness apparently hasn't led to more rigorous security, at least on average, throughout organisations' information ecosystems. Several examples of that depressing reality came just recently, in which compromises of software vendors led – predictably – to outages or breaches of their downstream clients. 

One caused the disruption of data communication services at four major US interstate gas pipeline companies. Another, which happened last autumn but just recently became public, was a breach of online services provider [24]7.ai, which resulted in payment card breaches of Delta Airlines, Sears, Best Buy and likely other major companies, exposing customer data.

And those are not anomalies. They are part of a trend. The Ponemon Institute's 2017 Third Party Data Risk Study found that 56 percent of respondents had been affected by a third-party data breach – a  seven percent increase from the previous year.

Which raises the obvious question: Why? It sounds a bit like homeowners, even after one of their neighbours gets his house cleaned out by thieves, still handing out keys to their front doors to every contractor who works on their property – plumbing, heating, even the kid who mows the lawn, without even doing a background check.

One possible answer is that the relative costs of breaches – especially the very high-profile ones – aren't painful enough long-term to prompt a major security overhaul. Target is an example – the estimated total loss was somewhere in the US$ 250 million (£185 million) range, but Benjamin Dean, fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University in the US, did the maths in 2015 and concluded that insurance and tax write-offs whittled that down to about US$ 105 million (£77 million), or less than 0.1 percent of the company's US$ 71.3 billion (£52.6 billion) in 2014 revenue. 

As Dean put it, “the financial incentives for companies to invest in greater information security are low …” James Robinson, vice president of third-party risk management at Optiv, said yet another factor could be the complexity of third-party relationships, including the reality that clients are also considered a third party, “which is something even the highest of high-tech organisations struggle with.”

And James Paul, managing director at the Synopsys Software Integrity Group (SIG), said another factor is that organisations are, “much more connected in areas that have traditionally not posed a technical threat.

“The increasing pressure on profit margins caused in part by companies like Amazon changed the game, making organisations like Target and their suppliers look for creative ways to reduce cost,” he said. “Better control of the HVAC systems in 1,700 stores might create tangible cost savings in an industry where margins are razor thin.”

Whatever the reasons, and whatever the perception of the costs, they are much more significant for the average organisation than for a retail giant like Target, where the net cost per record compromised was less than US$ 2 (£1.5). 

Ponemon found in its “2017 Cost of Data Breach Study: Global Analysis,” that the average cost per record compromised was US$ 141 (£104) – vastly more per record than the Target breach.

Another cliché in the information security world is that there is no such thing as a silver bullet. But that doesn't mean organisations are helpless. Robinson said it will take a shift in priorities – putting security ahead of cost. Paul added that, “organisations need to make third- and fourth-party security part of their overall programme.” 

He said better awareness of those risks means things are slowly improving. “It's gone from near nothing to where all of us make every vendor fill out security questionnaires,” he said.

Taylor Armerding, senior security strategist at Synopsys

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.