When it comes to cybercrime, and especially supply chain cybercrime, it seems like many organizations are getting lost in an increasingly complex web of data, partnerships and trust.
Businesses often can’t name all of the various players in their own supply chain, let alone to what type of data those partners may have access. Even if they are monitoring where data is going, they often can’t tell what traffic is legitimate and what may be malicious. And perhaps most important of all, many businesses aren’t even certain what they should be defending against.
Those are some of the shortcomings discussed by the panelists during the latest HackSurfer Hangout, Hidden Cybercrime Menace: Vendors, Third Parties and the Supply Chain.
“It’s amazing when you sit down with people who are defending networks and say, ‘What is the key terrain within your network? What is stored on your network that people would be interested in?’ and the puzzled looks that you get,” said Wayne Wheeles, the founder and CEO of Release 2 Innovations, who has spoken to half a dozen retailers since the breach at Target.
Even those who have technical solutions in place to defend against cybercrime often find those solutions not being used to their fullest potential. For example, one retailer that had an incident received 600 alerts across a four-day period. They were all ignored.
“People kind of rush very quickly to, ‘Oh, it’s a technical problem,’ and it really isn’t. It’s more of an organizational problem in a lot of ways,” said Jason Polancich, founder of SurfWatch Labs. “Knowing which [alerts] are more important for your business, for your customers is probably one of the big areas that are missing.”
Consumers Just See the Tip of the Iceberg
When it comes to supply chain issues, Damballa’s CTO Brian Foster said it’s a problem that’s been around for awhile, but it’s also one that’s been exacerbated over previous years.
One person asked about the lasting effects these breaches have on an organization. A recent poll showed that many cardholders are reluctant to shop at retail stores that have experienced a data breach.
“Are they going to stay home?” Wheeles jokingly asked.
That’s how it feels as if every store at this point has been compromised. But consumers not closely following the cybercrime landscape only see the tip of the iceberg. For every Target or Home Depot, there are a dozen or more lower-profile breaches that don’t get the attention of the national media and that less savvy shoppers may not be aware have suffered a data breach.
“If you look at how competitive the retail market is and what the margins are, it’s driving them to have cheaper and flatter implementations,” Wheeles said. “And what they do is they find the weakest link in the chain.”
Certainly, we saw that with Target, which began with a simple phishing attack sent to employees at an HVAC firm that worked with the retailer. We’ve seen that same story play out again and again in 2014 with different links in the supply chain being targeted. Point-of-sale manufacturer Signature Systems had a breach that spread to 216 Jimmy John’s stores and another 100-plus small restaurant. Goodwill saw the same thing when C&K Systems, a third-party vendor, led to over 300 hundred stores being compromised.
While the consumer goods sector has been in the spotlight and gotten much of the attention surrounding cybercrime this year, every sector is faced with supply chain crime. Look at healthcare, a sector where data and money is constantly being touched and handed off across various parties. Over 70% of healthcare sector breaches were actually caused by companies whose business is not related to healthcare. Or look at the defense industry, with hundreds of partners often coming together and those avenues of attack often being exploited to steal intellectual property. Or law firms that are being targeted for the valuable records they possess.
But it all comes down to the issue identified above: knowing your own risk landscape and what information cybercriminals are targeting.
“When people take this risk-centric view of things that can hurt them, it kind of eliminates a lot of work that you would have to do,” Polancich said. “Whereas right now everyone has kind of got it flipped around, and they’re saying, ‘ There are eight million threats out there.’ Okay, yeah, but only 12 of them really apply to you in any serious way.”
Plugging the Gaps
Improved security goes both ways and includes both small business and large enterprises stepping up their awareness of their risk and taking steps to lessen that risk.
“One of the things retailers need to do is start holding these people more accountable, and a lot of that is going to come in the contracts and the policies that they put forth in signing up for these third-party point-of-sale device manufacturers, owners, whatever service they’re using,” Foster said. “I think you need to start there and hold them accountable.”
Foster added that the companies who are doing well in regards to supply chain cybercrime tend to put a focus on the problem. They emphasize the importance of managing that risk throughout all levels of an organization.
“Business is really, really good at putting products on the marketplace, and I think if we start to turn that kind of approach on cybercrime … ultimately, in my opinion, that’s what’s going to save us,” Polanich said. “The industry is going to save itself by doing what it does really well just in an area that they don’t typically apply it in.”