Cyber safety threat lies in third parties

Participants follow proceedings during the launch of the Kenya Cyber Security Report 2015 in Nairobi. FILE PHOTO | NMG

What you need to know:

  • It’s no longer enough for firms to invest in near-impenetrable network systems. Research shows contractors are their weakest link with huge liabilities solely the company’s to bear should an attack occur.

You’ve probably taken steps to guard your company against the tremendous risks posed by cybercrime.

You have invested heavily in the best security tools and even audit employee devices that might connect to your network.

You can say, with a high level of confidence, that your company is near-impenetrable from attacks by malicious hackers.

But, can you make a similar statement about all the third-party vendors and contractors with whom you do business every day?

You likely have an external auditor with access to your books; you may have brought aboard a communications consultant with whom you share sensitive data; and perhaps your outsourced drivers and security personnel can log-in to your systems.

Are you assured that these vendors’ systems are as impenetrable as yours? What would the implications to your company be if any of these contractors were to suffer a breach and their emails were poured out onto the web?

These third-parties are essential to the smooth-running of your business, but they may prove the weak link in the chain mail with which you’ve girded your cyber resources.

“A cyber breach on one third party’s systems can have significant consequences for the wider network,” said consultancy firm Control Risks in a recently released report.

Yet, among African respondents to the survey underlying the Control Risks report, 62 per cent did not have any sort of cyber-crisis management plan guiding third parties on what to do if they suffer a breach.

Outsourcing risks

Control Risks assertions echo the findings of Serianu, a local cyber security firm. In its 2016 report, the company listed outsourcing risk as one of the rising cyber security concerns in Kenya.

“Kenyan organisations are not adequately performing risk assessments on their service providers before or during their engagements. As a result, many breaches that occurred in the recent past involved a third party in one way or another,” wrote Serianu.

The threat is real, existing beyond the hypothetical fears of consultancy firms and senior management. In the United States, where these breaches are better documented, the roster of companies that have suffered due to third-party data breaches is long.

Just this year, a season of the series Orange is the New Black was released due to a leak at Netflix’s audio post-production contractor. 

In another incidence, a clever hacker got into the systems of retailer Target through the firm’s heating and air conditioning contractor. In the fallout, credit card and personal data for over 110 million customers was released.

“As large enterprises become more sophisticated and effective at cybersecurity, criminals increasingly will identify the path of least resistance, seeking out alternative means for infiltrating systems and obtaining data, including through third-party providers,” writes New York University (NYU) researcher Judith Germano.

And although the attack might be on your contractor, at the end of the day it is your company that will suffer in the fallout. It is your reputation that will be ripped. It is you that the regulators and courts will come after. It is you that will likely bear the financial costs of placating irate clients.

The United States’ Securities Exchange Commission was in 2015 drawn into a case in which public relations agencies had been hacked, and in the process more than 150,000 embargoed or yet-to-be released media statements were leaked. The information was subsequently used for insider trading.

So what ought companies to do, short of purging all external contractors?

Research agrees that the first step is never to give vendors more information or more access than they strictly need to carry out their business. Control Risks also advises companies to include cyber security as one of the criteria used in vendor qualification.

Companies should also establish best practices to be shared with vendors and carry out regular audits that these standards are adhered to.

The matter of liability should be dealt with head-on in all new contracts. In case of a data breach, and taking into consideration the regulatory environment, who will bear any resultant financial and legal consequences? These questions should be answered before signing on any new vendor.

Exhibit careless laxity

And finally, when you do divorce from vendors, revoke all access to sensitive information. Sometimes old vendors could retain copies of your sensitive information and in some cases that exhibit careless laxity, they may even retain the ability to access your systems. Make sure these ties are cut cleanly.

This comes even as a new report says, key decision makers do not have confidence in their boards’ ability to manage cyber security threats, according to the latest cyber security analysis from Control Risks cyber security landscape

A survey of IT and business decision makers found that almost half of respondents reported they believe their organisation’s board-level executives do not take cyber security as seriously as they should.

This is despite 77 per cent of respondents citing the C-suite, rather than the historic owner, the IT department, as being most accountable for cyber security management and decision making in their organisation.

The survey equally found that just over 31 per cent also reported they are very or extremely concerned their organisation will suffer a cyber-attack in the next year and a third (34 per cent) say their organisation doesn’t have a cyber-crisis management plan in place in the event of a breach.

This lack of preparedness is especially striking in the light of the 12th May WannaCry ransom attack, which affected 150 countries in under 12 hours.

The report said organisations should ensure cyber security becomes a regular item on the board’s agenda that includes reviewing the external cyber threat landscape in conjunction with IT.

Firms also benefit from regular crisis management exercises that involve all relevant parties including the C-suite, IT, legal, communications and any other members of the crisis management team.

These exercises ensure that all parties understand their roles and responsibilities and the potential implications of a cyber-attack.