The marketing agency we use to design our cool promotional t-shirts is fun to work with – they have a totally hip workspace and even have a resident dog in their office. But do I trust them with the security of our business networks? Not a barking chance.
Systems, networks, and businesses are becoming more interconnected every day, and as that web of connections expands, so does the risk of cyberattack via a third party. Each time another device or network connection is added, a new threat vector is created. So, for those organizations that aren’t thinking about the potential threats created by those third-party connections, it is time to wake up that sleeping dog.
The news is littered with examples of 3rd party breaches – through an unsecured access point, with credentials that allowed too much access, malware that spread from the partner into the business network, the list goes on. It isn’t because vendors and partners are attacking each other, it is because convenient, open connections which allow companies to exchange data also become a convenient avenue for cyberattack. Third parties often have totally legitimate reasons for needing access to corporate data (why else would we do business with them?), but how they get that data is the problem, and where cybersecurity best practices need to be applied.
If we take the example of our marketing agency, they need branding information, images, color palettes, copy, and other content from us. We have all that information stored in a repository on our network, but we never let them access our repository, we send or push the data to them. The same should be true for the vendors, partners, and other third-party relationships in financial services, healthcare, critical infrastructure, and pretty much every other industry. Most hospitals, banks, and oil rigs probably aren’t looking to make funky graphical t-shirts, but they are still generating all kinds of operational data that needs to be shared with third parties; from retailers looking for customer data, to remote performance monitoring, to data aggregators seeking all kinds of market/transaction data.
The rut that everyone seems to get stuck in is the perception that these exchanges need to be two-way communications, and that networks must to be available to let outside parties in to retrieve the data they need. It doesn’t have to be that way. In fact, for many years now, in thousands of locations worldwide, data is routinely and continuously being pushed to those third parties, with no way into the business network. This is accomplished using data diode hardware-enforced cybersecurity, or similar unidirectional device.
This “data push” is actually part of the relatively recent guidance issued by the Dept. of Homeland Security (DHS) on how to protect industrial control systems, but the principles could easily be extended to pretty much every commercial market vertical. The DHS provides seven strategies which include specific guidance for protecting connections into and out of networks:
- Whitelist the applications (both internal and third party) that should have access to sensitive business networks and systems
- Reduce the overall risk to your network by reducing unnecessary connections
- Convert as many connections as possible to one-way out (with a data diode)
- Utilize one-way in transfers for patches, software upgrades, etc.
- For remaining two-way communications, use locked down, single port connectivity
- Segment your network to limit lateral movement across your business networks
- Develop/maintain a plan to manage and monitor authentication and implement the “least privilege” principle: restrict those who do have access to only the data and systems they need to perform job functions
Most importantly, these strategies work! The report noted that implementing these strategies would have prevented 98% of the cyberattacks reported in the previous 2 years. Those are some great numbers for the dog eat dog world of cyber threats.
The bottom line is we will inevitably need to connect with our partners, vendors, and customers to conduct business, but we should not entrust them with our cybersecurity. By using one-way only data transfer solutions (data diodes/unidirectional gateways) data can be shared with third parties while guaranteeing bad actors cannot get in.