What we now call “hacking” has been around almost as long as humans have existed. Today’s version focuses on technology, but the behavior takes many forms that even go back to the story of the Trojan horse. Hacking is simply the act of exploiting a weakness to gain access to something, whether that is in a computer system or in someone’s trust of a huge wooden horse rolling through the gates of a city.
I work for JSCM Group, a cybersecurity company based in North Carolina. Our company mission is to help organizations make their security better. While we hope to be brought in to help improve security before there is a problem, the reality is that some of our largest clients are only on that list because of a breach. In those situations, we are dealing with incident response and the aftermath of a hacker who got onto the network. When this happens, the only recourse is damage control, which, unfortunately, often means completely wiping everything and rebuilding, leading to longer recovery times, higher costs and a loss of business.
The worst part of these situations is the realization of why it happened. If these breaches were caused by malicious intent on the part of someone in the organization, in a lot of ways that’s an easier pill to swallow. But more often than not, it was blind faith that led to a security incident.
Reliance on outsourcing
Most organizations outsource processes in some way. There is no need to host an email server internally when you can pay a monthly or annual fee to have Microsoft or Google do it for you. Even staffing can be outsourced through the use of certified public accountants or managed service providers (MSP) for information technology (IT). And while outsourcing processes and systems can benefit you overall, it’s important not to forget to consider the consequences if one of those providers gets hacked.
For example, let’s say you hired an MSP to handle your day-to-day IT support. What happens if the MSP doesn’t have good security practices itself and gets breached? The data that the attacker is going after could very well be information about your organization. And then, what if there is some connection that has been set up between the MSP’s network and yours? Is there anything to stop the hacker from moving into your environment?
This type of attack is called a “supply chain attack,” and it has become one of the leading reasons organizations are getting breached. Attackers are compromising an organization’s vendors and then stumbling upon access to your organization’s data or environment. What makes these attacks even worse is that because the hackers are getting access through “trusted” connections, your guard is even further lowered, making the outcome much more disastrous.
So, how do you protect your organization? It’s easy to say, “Stop using vendors or third parties,” but the reality is that most companies would severely suffer if forced to stop outsourcing. Instead, you must look at ways to analyze these relationships and make sure you have implemented sufficient accountability.
Before I dive into the recommendations, I do want to make a very specific point: These should be things that all organizations are considering. We are all at risk, regardless of the size of our business or the industry we are in. If your organization is one that has not spent a lot of time worrying about security because you feel like you’re not a target, I unfortunately have to share that you are exactly the kind of victim that hackers are looking for.
Determine your “must haves”
First and foremost, it is important to put yourself in the right mindset when it comes to figuring out how to improve security. We must all remember that vendors work for us, not the other way around. So, if their security practices do not line up with the ones you are trying to implement for the benefit of your own organization, it’s OK to find a different vendor. In order to really know whether or not the vendor is a good fit, you need to determine your “must haves” from a security perspective. These are things that you should require any vendor to have implemented; otherwise you move on to another option. These can sometimes vary depending on the service the vendor is offering, but there are a few that are easy to start with. And, if the answer to any of these is “no” or they don’t want to share, that’s a good sign to move on to another option.
- Do they go through annual third-party security testing?
- If they are hosting a platform that is going to contain your organization’s data, is it protected with enforced multifactor authentication (MFA)?
- Do they carry liability insurance?
Principle of “least privilege”
One of the cornerstones of security is what’s referred to as “the principle of least privilege.” In simple terms, this means that you’re only granting as much access as is necessary to complete a function. This is especially important for third parties because you don’t have full visibility into their processes or security practices.
As an example, consider that your organization has a vendor that is responsible for managing your phone system. You need that organization to be able to perform its work, but you don’t want to expose yourself to security risks. Instead, you can adjust your approach to ensure the vendor’s access is limited. An easy way to accomplish this is to segment your systems. Implementing segmentation of systems by using virtual local area networks (VLANs) means you can further silo data and better control access. With segmentation, you can separate the phones to control access and better manage what can get in and out and then give the vendor access to this segment and nothing else.
Vendor redundancy
Finally, you must always look at ways to build in redundancy with your vendors. If you rely too much on a single provider, it makes it much more difficult to separate from that group. Instead, have redundancies in place so that if you find that a vendor isn’t upholding your security standards, you can switch to a vendor that can.
There are countless ways to improve your security, but the goal is always the same: Make your organization a more difficult target, so hopefully a hacker will not want to waste time on you.
Madison Slater is the executive vice president of security and operations at JSCM Group. She has worked in cybersecurity for more than a decade, helping hundreds of organizations improve their security through testing, training and remediation. Want to find ways to improve your organization’s security? Reach out to her at mslater@jscmgroup.com.