It’s old news that the pandemic has accelerated the adoption of digital means, but perhaps not widely recognised or accepted yet is that this will change the security paradigm in the short to medium term. And only a few organisations that expect their operations to be disrupted are looking for proactive ways to manage risk to their increasingly complex operations.
In particular, the adoption of new technologies to help drive efficiencies across the business is leading to more complicated IT ecosystems that are, in some cases, heavily integrated with partners, alliances and suppliers. This grey area of risk falls outside the traditional good practice guidelines we have come to know well. We must now adapt our methods and approaches to identify and manage this new risk vector.
With the traditional corporate boundary now becoming increasingly blurred, expanding deep into your supplier landscape, trying to track “who does what and when” with our data is a growing challenge. We now face an increased “attack surface”, presenting many unknown risks and impacts on our daily operations – and our response needs to reflect that.
This is an industry-agnostic problem. It affects financial services accelerating digital adoption to provide better services to their customers. Equally, the rise of e-commerce and non-store retailing within consumer, manufacturing and distribution is placing huge demands on technology-driven solutions to streamline operations. Real-time stock levels, tracking software allowing for improved accuracy over end-to-end manufacture to delivery to the customer are examples of where your software talks to your supplier’s software, which talks to their supplier’s software. All that requires new approaches to managing risk.
Breaches in security can erode market value and damage brand reputation. The attack on SolarWinds and the ransomware attack on Florida-based IT company Kaseya spread through hundreds of networks. That failure to appreciate risk in the overall end-to-end system had a significant material impact on their operations. The Swedish Coop supermarket chain was forced to close all 800 outlets for five days, resulting in sales loss of about SEK90m (£7.2m) a day, highlighting the need to readdress our approach to risk management and look further afield than our own corporate domain.
The unknown risks from this interconnected world include exposed or abandoned internet-facing servers highlighting asset management issues, and confidential documents leaking due to a lack of consistently applied data classification and handling across multiple organisations. Other dangers come from default, out-of-the-box login credentials, pointing to build standards not being met, and legacy hardware falling off the support radar and identifying failing decommissioning processes.
Further problems can arise from suppliers not doing what they are expected to do and not identifying breaches you were blissfully unaware of. All this is in addition to the need to respond to the growing regulatory focus on supply chain accountability, which is placing further pressure on already pressed resources to address risk.
What do we need to do?
So, how do we broaden risk management processes to incorporate the supplier landscape and streamline efforts? There are five key areas to focus on:
- Access – we need to be more transparent and know “who” has access to our network and systems. We also need to understand “what” they do inside our network and with our data and “how” they access it.
- Data – we need to understand “what” data is at risk. That means understanding the full end-to-end architecture that flows into, and out of, our own environment and identify what are the points of exposure that could undermine our operations (“outside-in” scanning).
- Suppliers – we need to increase collaboration and take proactive measures to understand “how” our suppliers manage their own IT estates if they are connected to us (this is not about “pointing fingers”). We also need to mature the commercial obligations with our suppliers to provide greater comfort over how they will handle our data (simply asking them to be ISO compliant isn’t enough).
- Technologies – we now need to leverage red-teaming techniques, attack surface scanning and “continuous control monitoring” to test the robustness of our controls.
- The business – we need to understand what the material impact on our operations would be in the event of a compromise to our systems or suppliers’ systems.
By adapting our traditional approach to managing risk, we can identify the attack surface across the entire IT ecosystem and, by proxy, identify areas of weaknesses we need to fix. This will also enable the more efficient and effective use of scarce resources to target areas of vulnerability underpinning our operations, allowing us to obtain a higher degree of assurance in this connected world.
Carl Nightingale is a cyber security expert at PA Consulting