Partnerships are often viewed as a key measure of success among today’s organisations. The responsibility for managing this increasingly complex network of suppliers, partners and outsourcing covering creative services, legal advice, accounting, and much more, rests at the feet of business and IT leaders. Although technological advancements mean these partnerships are probably far more robust than ever before, they have also led to a monumental increase in the corporate attack surface.
Topping the list of weakest security links are third parties, such as contractors and temporary staff, as well as a company’s own workforce, according to the 2018 Risk: Value report from NTT Security. Unsurprisingly, partners and suppliers also appear among the three weakest links. Business and professional services was the most attacked sector in Europe, the Middle East and Africa during 2018, accounting for more than 20% of attacks, and third globally (10%), according to NTT Security’s Global threat intelligence report (GITR).
Professional and business services firms account for almost 11% of the UK’s gross value added (£186bn) and 13% of employment (4.6 million workers). These figures further emphasise the importance of the role such firms play in modern supply chains, filling in gaps in expertise right across the corporate spectrum. With supply chains now operating in a predominantly digital environment, a vast amount of information flows between the two sectors. In some cases they even share IT and human resources, further increasing the organisation’s risk exposure.
Cybercriminals inevitably recognise suppliers as the holders of sensitive client data and offer them a substantial return for their efforts. For example, in 2016, three Chinese nationals were indicted after hacking US law firms and using stolen client data to make $4m off insider trading.
Increasingly, services firms are being used in attacks to gain an unauthorised ‘route in’ to the corporate networks of high-value clients and their sensitive data troves. According to the NTT Security 2018 GITR report, 21% of attacks on the business and professional services sector came in the form of web application attacks. The repercussions of such an attack can have devastating effects on both supplier and partner, leading to reputational damage and financial loss.
A consequence from the recent General Data Protection Regulation brought in to strengthen data protection practices throughout the European Union is the fact organisations and their suppliers have greater accountability and will have to answer to any failings in their information security practices.
So, what actions can organisations take to mitigate the risk, if it is impossible to be 100% breach-proof? Conducting thorough data classification and mapping exercises to understand what data you have and how it moves through the supply chain can help reduce risk. Regularly audit those suppliers handling high-risk data and ensure they mirror the same high-level codes of cybersecurity conduct as your own. Multifactor authentication, least privilege access controls, and multilayered threat defences at the network, physical and cloud server, endpoint and gateway levels should all be considered alongside regular vulnerability testing and patch management and security awareness programmes. This should extend to any temporary or contracting staff.
When it comes to a cybersecurity strategy, procurement teams must employ a proactive approach. Collect and analyse threat intelligence to improve your defences and support threat-hunting initiatives. Ensure your incident response plans are tried and tested and, in the absence of adequate in-house resource, enlist the help of third-party experts. Achieving a mature cybersecurity posture is not easy. But selecting the right partners can speed up the process and help move you into a position of strength.
Azeem Aleem is VP consulting and head of UK & Ireland at NTT Security. He is a highly respected cybersecurity specialist and joined the company in 2018 following a six-year tenure at RSA Security, where most recently he held the role of global director and head of its worldwide advanced cyber defence (ACD) Practice. Azeem has a strong track record in cybersecurity with over 15 years experience in cyber defence technologies, security operations, counter threat intelligence, data analytics and behavioural classification of the cybercriminal. Azeem has been at the forefront of architecting cyber resilience capabilities against APTs for some of the best financial, government and public sector organisations across Europe, the US, Asia and the Middle East. He has worked with both national and international law enforcement agencies around intelligence training, detection and investigation of cybercrime.
This contributed article has been written by a guest writer at the invitation of Procurement Leaders. Procurement Leaders received no payment directly connected with the publishing of this content.