In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion that was hacked (versions 2019.4 through 2020.2.1 HF1).
If you were using a version that was hacked, you should certainly report on what you did to investigate whether or not there was further compromise, how closely you were able follow CISA recommendations, what were the results of the investigation, what you did to contain the affected systems, and whether or not (in consultation with your legal department) you suffered a breach as a result – but you should definitely do not stop there.
Different types of third-party compromises
The SolarWinds hack is just one example of a third-party, supply chain compromise. And while the scale of the SolarWinds hack is certainly novel, third-party compromises are not. Target was initially compromised through its third-party HVAC supplier in 2013, which led to a breach of over 40 million credit card numbers.
JPMorganChase, which was spending $250 million annually on security in 2014, was breached due in part to Simmco Data Systems, a third-party supplier that helped it run its non-profit, charitable marathon races. The U.S. Office of Personnel Management (OPM), from which over 20 million government employee identities were stolen in 2015, was breached in part through KeyPoint Government Solutions, a third-party supplier that helped it conduct background checks.
Third-party supply chain compromises have been happening for years, and most organizations need to have an appropriately staffed and funded sub-team focused on vetting its third parties and contractually obligating them to improve their security as needed to match nation-state threats.
We no longer live in a world in which it is tenable to throw up one’s hands and give up if there is a nation-state attacker targeting the organization. Assume there is a nation-state targeting your organization. Cost effective defenses do exist which can hold up even against nation states. If your organization is not there yet, don’t just focus on a SolarWinds update – focus at least on the broader need for supply chain security as a start with your CEO and your board.
That said, a compromise of a supplier is just one type of a third-party compromise or abuse. There are many other types of third parties that can be compromised (or abused). Developers, partners, customers, or potential acquisitions are examples. Developers that abuse your services, as occurred to Facebook by Cambridge Analytica in 2016, is a form of third-party abuse.
In the case of Dun and Bradstreet in 2017, one of their customers had a database of 33 million business contacts that they sold, and it was then stolen from their customer. Every customer of yours is a third party, and if you sell or provide to them sensitive data you need to vet their security, as a breach will be attributed to you as it is originally your data.
Also, if your organization acquires a company that gets breached (or is already breached), you “own” the breach (e.g., Marriott in 2018, when it acquired Starwood Hotels, from which 353 million customer records were stolen).
Third-party compromises are just 1-of-6 common root causes of breaches
A sub-team that focuses on supplier security will not automatically solve the problem of other types of third-party compromises or abuses that can occur. CISOs need to be made aware of every potential acquisition that an organization is considering well before it happens and need to follow the trail of every personally-identifiable-information (PII) record that the organization is entrusted with, whether it leads to an internal database or a customer’s database.
The CEO and the board need to understand that supply chain security is not sufficient as there are many other types of third parties that can result in a breach. Educate your colleagues, peers, and managers about third-party risks holistically, providing an understanding of the many types of third-party risks that can occur.
Finally, all third-party risks are just one of six common root causes of breaches. The other root causes are phishing, malware, unencrypted data, software vulnerabilities, and inadvertent employee mistakes. Although typical compliance standards require hundreds of check boxes to be checked, the actual effectiveness of countermeasures that mitigate against the most common root causes may matter much more. In discussions with your board, do not lead with what your cybersecurity program is doing to achieve compliance with an ISO, NIST, PCI, HIPAA, or other standard.
Most organizations that get breached are compliant with such standards at the time they get breached – compliance does not equal security. If your board has historically been focused on compliance (say at the audit committee where many CISOs report to quarterly), those discussions need to be elevated to focus on what are the existential risks to the business and what is the business doing to minimize or remove them.
Does your organization need to hire a Chief Risk Officer (CRO), a Chief Privacy Officer (CPO), and/or other executives in addition to a CISO to handle the various types of risks? Who should they report to? Is the CISO reporting to the CIO right now? Is that sufficient? Is cybersecurity considered just an IT problem, or is it broader than that? Should the CISO be reporting to the CEO if there currently is not a CRO or CPO?
Conclusion
Although the hot topic of discussion today may be SolarWinds, it is likely just one of the many hundreds or thousands of third parties that your organization works with. Cybersecurity discussions should be focused on protecting the organization from existential risks and all six of the common root causes of breach, including third-party compromise.