Organisations are beholden to their suppliers. For a retailer it could mean the difference between having products on the shelves or not. For a manufacturer, it’s about securing the vital components and materials needed to build industry-leading products. In the UK, we are now predominantly a services-based economy. That means a vast and complex supply chain of professional services companies: businesses that offer not tangible goods, but knowledge-based skills that cannot be sourced in-house, observes Azeem Aleem.
The challenge is that these companies often have privileged access to their clients’ IT systems and store highly sensitive customer and corporate data. That means they represent a cyber security risk. An NTT Security poll conducted last year found that an overwhelming number (60%) of global business decision-makers believe third parties like these to be the weakest security link in their organisation.
Fixing this problem will require a rigorous, risk-based approach focused around security Best Practice and achieving visibility, control and continuous improvement.
A digital economy
Professional services are in many ways the lifeblood of the UK economy. According to PwC, firms that carry out auditing, advisory, tax and similar account for 15% of UK GDP, 14% of employment and 14% of exports. Yet even that estimate is likely to be on the conservative side. In fact, the sector covers a vast swathe of businesses including law firms, architects, accountants, advertising and marketing agencies and many more.
Professional services can include virtually anything that can be thought of as a knowledge-based skill. As such, digital infrastructure is vital to the smooth running of these services, enabling seamless online collaboration, reporting, analysis and auditing. Yet where there’s data, people and money, there is always cyber risk. According to NTT Security’s data, the business and professional services sector became the most attacked sector in the EMEA last year, accounting for just over 20% of attacks. It was third globally, comprising 10% of attacks.
Part of the problem stems from the sheer size and complexity of modern digital supply chains. Last year, one vendor reported that the average US or UK company shares sensitive data with over 580 third parties, with nearly 60% of them having experienced a breach caused by one of these firms. Three-quarters said they thought such incidents were increasing. Yet visibility appears to be a major challenge. Over a fifth (22%) of respondents to the study claimed they didn’t even know if they had suffered a breach.
It also appears as if third party risk may still not be receiving the Board-level attention it deserves: only a third (37%) claimed they have enough resources to manage supplier relationships, while a similar number rated their third party risk management programme as highly effective.
Supply chains under attack
Attackers are targeting professional services firms primarily with one of two goals in mind. They’re either after sensitive client data stored by that firm or are targeting the supplier in a kind of ‘stepping stone’ or ‘island hopping’ attack focused on infiltrating the networks of its customers. Half of all attacks analysed recently by one vendor use these island hopping tactics.
Examples of both types of threat are numerous. Law firms represent a particularly attractive target, given the large volume of sensitive information they hold on clients. Perhaps the best example of the potential risks involved comes from two infamous data leaks at separate law firms dubbed the Panama Papers and the Paradise Papers. These exposed the offshore tax avoidance plans of a large number of businesses, celebrities and even world leaders, destroying the trust these customers placed in their legal advisors and putting one of the law firms in question, Mossack Fonseca, out of business altogether.
The threat to the legal sector is clearly growing, as both financially motivated cyber criminals and nation states look for valuable data on M&A deals, patents and other sensitive client information. A PwC report from 2017 claimed 60% of law firms had reported an information security incident over the previous year, up from 42% in 2014. That same year, the UK Solicitors Regulation Authority estimated that £11 million was lost to cyber crime in the previous 12 months.
Sometimes, professional services firms are their own worst enemy when it comes to risk exposure. A 2018 report found over one million corporate e-mail addresses belonging to staff at the UK’s Top 500 law firms for sale on Dark Web sites. Most were linked to a password, offering cyber criminals a simple way to crack open corporate accounts. It’s believed employees had used these corporate credentials to register accounts with consumer sites like Facebook and LinkedIn, which were subsequently breached.
Nation states join the fray
In the other type of attack, professional services firms are targeted with a view to compromising their clients. Operation Cloud Hopper, uncovered in 2017, saw an attack group (APT10) with links to the Chinese state compromise managed service providers (MSPs) on an “unprecedented” scale.
“Given the level of client network access MSPs have, once APT10 has gained access to a MSP, it’s likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” noted PwC. “This, in turn, would provide access to a larger amount of Intellectual Property (IP) and sensitive data. APT10 has been observed to exfiltrate stolen IP via the MSPs, hence evading local network defences.”
Other techniques include ‘watering hole’ attacks, where the website of a professional services firm is compromised in order to spread malware to the computers of partner organisations whose users are likely to visit it. One vendor has even warned of a ‘reverse BEC’ attack in which hackers compromise the mail server of a supply chain organisation in order to spread fileless malware to trusted partners.
The cyber risk from third party professional services firms doesn’t just include data theft. Below par security among suppliers could also expose organisations to the threat of ransomware. According to NTT Security’s findings, business and professional services firms experienced the second highest rate of ransomware infection globally last year.
Time to be proactive
Given the scale of the threats facing organisations, it’s time to elevate third party risk management to the level it deserves. The National Cyber Security Centre has developed some useful guidance setting out four key principles which should inform any programme. These are: understand the risks, establish control, check your arrangements and then work towards continuous improvement.
Understanding the risks means being clear about what needs to be protected and why, who your suppliers are and what if any security gaps they have. Establishing control is all about communicating minimum standards expected of suppliers, building these considerations into contracts and providing cyber security support to suppliers where needed. Assurance requirements should then be built into supply chain management, such as pen testing and/or formal certifications. Finally, it’s a case of encouraging a culture of continuous improvement and mutual trust. This will need to evolve as supply chains change over time.
No organisation can expect to be completely insulated from cyber risk, but this approach seems to set a useful risk-based foundation upon which to build. As for specific steps that we would recommend, they should include first conducting data auditing to understand what needs to be protected and which suppliers handle which high-risk data. Best Practice security controls and processes can include tighter access controls along the lines of least privilege, enforced with risk-based multi-factor authentication. Anti-malware protection and threat detection is also a must on endpoints, networks and servers, as well as for e-mail and web gateways.
Regular patch management should be another ‘given’, alongside continuous network monitoring. Incident response and pen testing plans should be run regularly to ensure IT teams have an up-to-date view of their risk profile. Modern techniques like threat hunting can also provide a more proactive approach to security which will help you head off any attacks before they’ve had a chance to impact the organisation.
Don’t neglect the human element
Finally, don’t forget the role of people in the security environment. They’re often thought of as the weakest link, but if properly trained they can provide a welcome first line of defence, helping to spot phishing attempts and reducing the risk of accidental data disclosure and privacy leaks.
Throughout, the focus should be on trying to pre-empt attacks by using threat intelligence effectively to patch vulnerable systems and profile and hunt down attackers. Incident response is a vital part of any security posture, but is increasingly difficult for organisations to perform effectively in-house. This is where third party expertise should be sought as the final piece of the puzzle to enhance risk management efforts.
Azeem Aleem is Vice-President of Consulting at NTT Security