Last year Elizabeth Denham, the UK’s information commissioner, issued an important ruling that sent quiet shockwaves through corporate boardrooms around the world. The ruling effectively expanded the responsibility of companies in relation to their software and technology supply chains.
The key development came from the fallout of the Marriott data breach, announced by the company almost exactly a year ago. The data loss itself, albeit a large one involving the personal and financial data — including names, addresses, credit card information, passport numbers and travel plans — of some 380 million customers across many countries, might once have been greeted with a shrug, embarrassing to the company’s reputation but just another in a list of similar breaches that customers are becoming wearily familiar with.
Yet the consequences of this attack were highlighted when Denham announced last summer that the ICO intended to fine the hotel group £99million. While this is not a trivial amount for any company to face, the wider impact came in the report itself. Denham judged that the fine was appropriate because: “Marriott failed to undertake sufficient due diligence when it bought Starwood.” In short, Marriott had acquired a company that had already been severely compromised by hackers, probably in 2014, and only spotted the breach a few years after the integration of Starwood and the cross-infection of the wider group.
The regulator suggested what ought to be obvious: traditional investment, due diligence and risk assessment processes needed to catch up with the speed and sophistication of modern cyber threats. Owing to our extended ecosystems the board rooms of the future will need a much richer picture of cyber data and what it can tell us about a company’s relative cybersecurity readiness, what needs to be done to remediate the extant cyber risks and how much this will cost.
But due diligence in cyber is not only a concern for mergers and acquisitions. The same challenge of attempting to assess unquantified cyber risk is worrying every major company, especially in financial services, which understands this better than any sector. Even the best-protected institutions are increasingly aware that the thousands of vendors and suppliers connected to them are potential vectors for attack — weak links in their shields.
As defences are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in. And with the COVID-19 situation this is only going to be exacerbated, especially for those suppliers who are not used to working from home. From IT providers to law firms and small investment houses to recruitment agencies, all these suppliers are a popular route for attackers – and that risk has just been intensified as those businesses decamp to home working. And to this point, some of the biggest threats associated with the pandemic are not all that sophisticated, but arise from traditional phishing emails, spearphishing attachments, ransomware, cybercriminals masquerading fake VPNs, remote meeting software and mobile apps.
Understanding threat and third party risk
At the high end of cyber threats, notably against the defence sector, risk in the supply chain has been a major national security concern in recent years. The Department of Defence inspector general sounded the alarm in July last year about the inadequacy of cyber due diligence in procurement decisions, highlighting the threats from hostile nation-states that may be embedded in off-the-shelf products and household-name services.
Situated at the critical end of the cyber-threat landscape, defence illustrates the problem of complexity: even understanding the hardware and software supply chain of a new network-enabled warship or aircraft is challenging. Thousands of companies are involved, each with a different level of access to sensitive information. It also shows that traditional methods of vetting are necessary but insufficient: even if the company flies a UK or allied flag, the nature of modern software development makes it hard to know where code was actually written, and by whom. And nearly all commonly available IT hardware is manufactured in China.
Of course, even the fact that companies are worrying about third-party risk is arguably a step forward; it points to the progress made by companies in addressing their own cyber exposure. It also suggests that we are having some success in raising the bar by hardening defences, displacing cybercrime to softer targets. But all that will be little consolation: a piece of malware delivered through a weakly defended third party can be every bit as destructive as a spear-phishing email, with which we are all familiar, sent directly to our company.
Planning for the future post COVID-19
There is no doubt that COVID-19 will create additional security threats as attackers attempt to take advantage of the increased proportion of the workforce spending more time online while at home and working in unfamiliar circumstances.
In response to this heightened threat environment the frequency of breaches will likely increase. However, as the tone of communications from the ICO, FCA and other regulators around the world indicates, they will continue to expect legislation to be adhered to, as compliance becomes even more important and these compliance regimes are not suspended during the pandemic.
If we are to avoid a future in which our entire global supply chain is increasingly untrustworthy, we will need a new approach to trust and verification. For governments, this will mean regulation of cybersecurity standards, some of which is already emerging. For companies, it will not be acceptable to take the word of suppliers that their security is good, and questionnaires allowing them to mark their own homework will no longer constitute due diligence.
Instead, companies will need to look at their vendors as an attacker would: from the outside, assessing their vulnerabilities, insisting on minimum security controls and practical remediation where necessary. And they will need to monitor the performance of these suppliers regularly, rather than taking a snapshot and hoping for the best.
In the cyber age, a company’s responsibility, like its attack surface, no longer stops at its own corporate boundary. And, with employees working from home, that attack surface has just grown that much bigger and more vulnerable.
By Robert Hannigan, Executive Chairman of Europe, BlueVoyant.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.