The Impact of Supply Chain Data Breaches [Q&A]
Digital supply chain breaches are becoming more common as supply chains become more complex, so the attack surface is growing and even small businesses can have networks complex connections.
But how do supply chain breaches impact businesses? And what can they do to reduce the risk? We spoke to Jeremy Hendy, CEO of digital risk protection specialist Skurioto discover.
BN: Direct security breaches tend to grab the headlines. What is the prevalence of indirect offences?
JH: Data breaches caused by third parties are increasingly common, although in many cases they are only discovered after a lengthy investigation. Recent research from ponemon found that 51% of organizations have experienced a breach caused by a third party and there have been several prominent examples in recent years.
Last year, General Electric suffered a serious breach after attackers compromised the email of a provider, Canon Business Processes. The perpetrators used the account to access a wealth of data belonging to past and present GE employees, including bank details and passport information.
In another case earlier this year, the Volkswagen Group was informed that a supplier had left the data of 3.3 million customers unsecured on the internet for more than eight months. In the case of 90,000 customers, sensitive details including social security and driver’s license information were included.
BN: Why are third-party breaches so prevalent?
JH: The increase in third-party breaches is due to our more complex digital supply chains. Organizations have many partners and vendors and there are more connections for attackers to exploit. Even small businesses now have expansive networks of connections with varying access to their data and network infrastructure, and large enterprises are in complex networks of thousands of other businesses.
These digital supply chains are growing rapidly, causing organizations to lose sight of how data has been shared and which third parties have access to their network. Similar to the GE breach when third parties are granted access to the system, threat actors often attack these connections to circumvent more secure targets.
Companies may also be unaware of, for example, the extent of information they have shared with external providers who manage their HR and financial needs. Elsewhere, customer databases may have been shared with business and marketing partners, often without a formal process.
Once a dataset leaves the organization’s network and is in the wild, it is extremely difficult to know where it ended up, how many times it was copied, and how far all copies can be protected.
It should also be noted that a data breach can often impact multiple businesses due to the frequency of password reuse. Google recently discovered that 65% of people still reuse passwords across multiple sites. This means that a company can be compromised because a completely unrelated breach included an employee who reused their password for company systems.
BN: What is the impact of a violation by a third party?
JH: Even if a third party such as a vendor or partner is clearly at fault, the original data holder is likely to be hit just as hard as if their own systems were at fault.
Most data security and privacy regulations such as the GDPR specifically state that data controllers are ultimately responsible for all data that has been shared with others, and will therefore potentially face any fines. For particularly large breaches this can run into millions of pounds, as seen with the BA breach which resulted in a £20m fine.
Other breach costs such as reputational damage and loss of customer trust will of course continue to apply regardless of the source of the breach. Likewise, the company will always be exposed to legal action from the customers concerned. Law office Pinsent Masons found that data breach litigation appears to be on the rise.
BN: How can organizations reduce the risk of third-party breaches?
JH: Operating in the digital age means it’s inevitable that data will regularly leave the corporate network, making it more susceptible to breaches or leaks. Likewise, most companies will need to allow at least one external access to their network. But if the risk cannot be completely avoided, it can be controlled and reduced.
First, all third parties with any level of access to data should be governed by strong contracts that explicitly define their security responsibilities. Security criteria can be included in service level agreements to ensure they are taken seriously.
Companies should also ensure that third-party network access is limited to the absolute minimum necessary for their role, which will minimize the damage an attacker can cause by compromising them. Strict processes should be in place for sending any type of sensitive files off the network to reduce the risk of copied data sets falling off the network.
Additionally, companies should educate their employees on password best practices and implement measures to prevent them from reusing credentials across multiple systems or outside the company. This will reduce the risk posed by third-party breaches involving credential sets.
BN: What can companies do if they believe they have suffered an indirect violation?
JH: Companies have to assume that their data is already outside their perimeter and that they will eventually be involved in one of the countless data breaches that occur daily. This means that in addition to taking steps to reduce the risk of a third-party breach, companies must also quickly identify when a breach is occurring.
One of the most effective methods here is to label the datasets with a kind of digital watermark called a “breachmarker”. This takes the form of a unique fictional individual placed in the dataset among thousands of real people.
Continuous, automated monitoring can then be deployed to continuously search open and closed web sources for this marker. If a malicious actor posts the dataset for sale on a dark web forum or drops it on a Pastebin site, the surveillance system will detect it within moments.
This immediately puts the data owner in control. Third-party breaches often mean being on the hook, having to scramble a response to an incident that has usually only been detected because the dataset is already being used for fraud or other attacks. Instead, the data owner can be sure to know exactly what data was implicated, promptly and accurately notify those involved, and take steps to have the data deleted. This greatly reduces the financial and reputational impact and goes a long way in winning over regulators.
Violation markers can also be used to find the source of a third-party violation. By ensuring that each vendor has a different unique tag, it is immediately obvious where a violation originated.
While third-party breaches may be unavoidable, taking a proactive and responsible approach greatly mitigates the impact when the inevitable happens.