How secure are your suppliers? - Article

Cyber attacks on third parties are a growing "Trojan Horse" threat to businesses.

When thinking about cyber security, most organisations focus on their own vulnerabilities – how to ensure their systems, people and processes are not going to let them down in the event of a cyber-attack.

However, what many organisations don’t realise is that, while their own security may be in good shape, attackers will always look for another way in. One of your suppliers may just be the gap that they are looking for.

So, how can one of your suppliers, a third-party company your organisation works with and trusts, be a risk to your business?

As always, attackers are looking for the weakest link to gain access to your data or network environment. They know that most organisations use a host of smaller suppliers to provide services, and they are therefore looking for the one that has the worst security, and the best access to your systems. This “Trojan Horse” approach has been very successful for attackers in the past and continues to be used today.

Target identified

In December 2013, at the peak of the Christmas shopping season, we saw a breach through a third-party supplier that had both immediate and far-reaching repercussions for the company that was hacked. US company Target was breached, with more than 70 million customer records and 40 million credit card credentials stolen by hackers.

This was a big deal at the time (although today we see much bigger breaches) but gained particular focus for the way the breach was carried out.

The attackers gained legitimate access to the Target environment via Target’s heating, venting and air conditioning (HVAC) supplier before carrying out the attack. They did this by stealing the credentials the supplier used to gain access to Target’s network through an external vendor portal. The reason they were able to was because the HVAC supplier did not have adequate security protocols in place to stop this from happening, and so Target was left holding the bag.

These third-party breaches show no sign of slowing down. In 2017, over 50% of organisations had experienced a third-party breach, up 7% from the previous year, according to security firm NormShield.

In 2018, we continued to see more of these types of attacks. The most famous (and largest) was the Cambridge Analytica attack on Facebook.

In this attack, Cambridge Analytica was a genuine user of Facebook’s system, and seemed to be legitimately gathering data. They then used this position to gather more data than they had the right to, even scraping information from pages of friends of the users they were targeting. Using this method, they gathered data for more than 87 million users, and then on-sold this as marketing material to a number of customers.

Again, while Cambridge Analytica was eventually shut down, it is Facebook that has suffered in the media following this breach. Other attacks through suppliers last year have included The Perth Mint, British Airways (affecting 380,000 passengers), Blue Cross Blue Shield, the University of Louisville, and Wegmans supermarketchain, which lost over $900,000 when dealing with a Chilean seafood company that was used by hackers to infiltrate Wegmans’ email account and redirect payments.

US company Target was breached, with more than 70 million customer records and 40 million credit card credentials stolen by hackers.

Risk to NZ

What most customers ask us when they read these headlines is: how can this affect my business, and what can the impact be? New Zealanders are increasingly realising that being geographically isolated from the rest of the world doesn’t mean that we are safe from these types of attacks.

As many organisations use local as well as international suppliers, the potential attack surface for hackers is constantly growing.

For New Zealand, the fact that we are a country of small businesses makes us a prime target – many small companies don’t have the knowledge, focus or resources to make sure they are secure, and many think that because they are small they will not be a target. This is not the case and, as we have seen in the past, this makes New Zealand incredibly vulnerable to attacks.

In 2016 New Zealand was awash with ransomware, with many small businesses falling victim to these email attacks. The same approach is often used by attackers when trying to find a weakness in a small company to see if they can reach a larger organisation – particularly sending malware through emails or gaining access to the supplier’s network in order to jump to the larger organisation’s infrastructure. This can even be done in a way that may take some time before the crime is even noticed, increasing the potential damage that the attackers can inflict.

So, is there anything you can do about it? Absolutely! The first thing is to identify your risk level. Do you have third-party suppliers? Who are they? What level of access do they have into your networks, or what level of trust is there between this company and yours (eg are you likely to open an attachment from this company without checking the email address)?

Once you know who these companies are, and what threat they might pose to your business, you will need to approach them to discuss their current security posture. A number of organisations now use a checklist for third-party suppliers to ensure they have some basic cyber security in place, but you can decide what works best for you. As a number of these organisations may be quite small, becoming compliant to a global standard (such as ISO2701) may be unrealistic. But they can still follow some bestpractice security hygiene at very little cost. This might include items like: