The impact of supply chain data breaches [Q&A]
Digital supply chain breaches are becoming more common, as supply chains increase in complexity so the attack surface grows and even smaller businesses can have complex webs of connections.
But how do supply chain breaches impact businesses? And what can they do to cut the risk? We spoke to Jeremy Hendy, CEO of digital risk protection specialist Skurio, to find out.
BN: Direct security breaches tend to dominate the headlines. How prevalent are indirect breaches?
JH: Data breaches caused by third parties are increasingly common, although in many cases it does not come to light until a lengthy investigation. Recent research from Ponemon found that 51 percent of organizations have experienced a breach caused by a third party and there have been several prominent examples in recent years.
Last year, General Electric suffered a serious breach after attackers compromised the email of a vendor, Canon Business Processes. The perpetrators used the account to access a trove of data belonging to past and present GE employees, including bank account details and passport information.
In another case earlier this year, Volkswagen Group was notified that a supplier had left the unsecured data of 3.3 million customers on the internet for more than eight months. In the case of 90k customers sensitive details including social security and driving license information were included.
BN: Why are third party breaches so prevalent?
JH: The increase in third party breaches is due to our more complex digital supply chains. Organizations have numerous partners and suppliers and there are more connections for attackers to exploit. Even small firms now have extended networks of connections with varying access to their data and network infrastructure, and large businesses sit within complex webs of thousands of other companies.
These digital supply chains grow rapidly, causing organizations to lose track of how data has been shared and which third parties have access to their network. As with the GE breach when third parties are granted system access, threat actors will often attack these connections to sidestep more well-secured targets.
Firms also may not realize for example the extent of the information they have shared with outsourced providers handling their HR and financial needs. Elsewhere, customer databases may have been shared with sales and marketing partners, often with no formal process involved.
Once a dataset has left the organization's network and is out in the wild, it is extremely difficult to find out where it has ended up, how many times it has been copied, and how well protected all the copies might be.
It's also worth noting that a data breach can often impact multiple companies because of the frequency of password reuse. Google recently found that 65 percent of people still reuse passwords across multiple sites. This means a company can be compromised because a completely unrelated breach included an employee who reused their password for corporate systems.
BN: What is the impact of a third-party breach?
JH: Even if a third party such as a supplier or partner is demonstrably at fault, the original holder of the data is likely to be hit just as hard as if their own systems were at fault.
Most data security and privacy regulations such as the GDPR specifically state that data controllers are ultimately responsible for any data that has been shared with others, and so will potentially face the full extent of any fines. For particularly large breaches this can run into millions of pounds, as seen with the BA breach that carried a fine of £20m.
Other breach costs such as reputational damage and loss of customer trust will, of course, still apply regardless of the origin of the breach. Similarly, the company will still be exposed to legal action from affected customers. Legal firm Pinsent Masons has found that litigation around data breaches appears to be on the rise.
BN: How can organizations reduce the risk of third-party breaches?
JH: Operating in the digital era means it is inevitable that data will leave the company's network regularly, leaving it more exposed to being breached or leaked. Similarly, most businesses will need to allow at least some external access to their network. But while the risk cannot be avoided entirely, it can be controlled and reduced.
First, all third parties with any level of data access should be governed by strong contracts that explicitly set out their security responsibilities. Security criteria can be included as part of service level agreements to ensure they are taken seriously.
Companies also need to ensure third party network access is restricted to the absolute minimum necessary for their role, which will minimize the damage an attacker can do by compromising them. Strict processes should be in place around sending any kind of sensitive files outside of the network to reduce the risk of copied datasets falling off the grid.
Additionally, companies should educate their employees about password best practices and implement measures to prevent them from reusing credentials across multiple systems or outside of the company. This will reduce the risk posed by third-party breaches involving credential sets.
BN: What can firms do if they think they've suffered an indirect breach?
JH: Companies should assume their data is already outside of their perimeter, and that it is will eventually be involved in one of the countless data breaches occurring daily. This means that as well as taking steps to reduce the chances of a third-party breach, firms also need to quickly identify when one occurs.
One of the most effective methods here is to tag datasets with a kind of digital watermarking known as a 'breachmarker'. This takes the form of a unique, fictional individual placed into the dataset among the thousands of real people.
Continuous, automated monitoring can then be deployed to constantly scan for this marker in open and closed web sources. If a threat actor posts the dataset for sale on a dark web forum or dumps it on a Pastebin site, the monitoring system will detect it in moments.
This immediately puts the data owner in control of the situation. Third-party breaches often mean being on the back foot, forced to scramble a response to an incident that has commonly been detected only because the dataset is already being used for fraud or further attacks. Instead, the data owner can be sure of exactly what data has been involved, swiftly and accurately notify those involved, and take steps to have the data taken down. This greatly reduces the financial and reputational impact and goes a long way to getting regulators on side.
Breachmarkers can also be used to track down the source of a third-party breach. By ensuring that each supplier has a different unique marker, it is immediately apparent where a breach originated from.
While third party breaches are perhaps unavoidable, taking a proactive and responsible approach greatly mitigates the impact when the inevitable does occur.