Derived from the old proverb “a chain is only as strong as its weakest link”, this axiom was top of mind for me this past weekend as I prepared to lift a 20-foot section of trunk and root ball from a downed cottonwood that was blocking my creek. I carefully examined each link of the 40 feet of logging chain, I examined the winch mechanism of my “come-a-long” (read manual) winch, I searched for the right tree to which to attach my winch, I cleared the ground around me to have ample foot room, and thought through my “escape route” should the chain break.
On one of my many breaks, I started thinking about how this old adage can impact your cyber security strategies. (Yes, I really do think about this stuff all the time, even when covered in mud, creek water, and sweat!) ‘You are only as strong as your’ weakest link is something that should be on the mind of every CISO, CIO and Risk Manager.
Hackers are getting smarter. They are attacking the weakest link.
Even after the Target hack, an often overlooked part of a firm’s security strategy is that of its supply chain and vendors. I almost titled this post “It’s 10PM, do you know where your data is?”, but knowing where your data resides is only part of the problem. Are you sharing data with other organizations? What types of data? Do they protect your data in the same manner you would? Are you storing your data in a cloud, or with a SaaS provider? Who has access to that data and do they have a strong security program in place?
Of course, I am assuming here you have already locked down those vendors and suppliers that have direct access to your data systems (again, reference Target) and that you have implemented Least Privileged Access controls across your network. If you haven’t, you should start there!
As I started to winch the tree the first few cranks were easy. In fact, I was surprised how easy it was (honestly, I was surprised the tree moved at all). However, as I cranked it got harder and harder. As more and more of the weight of the tree was borne by the winch, I had to pull and pull on the winch to move it a “click”. After a couple of hours, I realized, I was the weakest link! I didn’t have the strength (nor had I calculated the appropriate leverage) to move that beast the rest of the way.
So, let me ask you, are you the weakest link in your client’s supply chain or stable of service providers? One of the trends we are seeing is that more and more companies are putting pressure on their providers to secure their data. They know the hackers are looking for the weak link. What are your clients’ compliance requirements, what regulations apply to them? You may not have compliance standards in your industry, you may not be in a heavily regulated industry…but are your clients?
The list of compliance frameworks, regulations and certifications is an acronym bowl of soup: HIPAA, PCI DSS, HITRUST, FISMA, FedRamp, FFIEC Appendix J…the list goes on and on. Many of these frameworks are now requiring third party suppliers to meet the same compliance standards. Soon, merely “checking the box” to a client audit will not be sufficient. You will need to adhere to the standards your clients are held to…and you will need to prove it.
Security now applies to your entire vendor ecosystem. Know where your data is, know where your clients’ data is, know who has access to it and when. Trust but verify should be your mantra. A great starting point is the Third Party Risk Assessment published by the Online Trust Alliance.
Then ask yourself, if one of our clients asked us these questions, how would we answer? Could we prove it?
Identify the weak links…and don’t be one yourself!
Due to increased attention on cybersecurity events in the news recently, Bluelock commissioned IDG Research for a survey of executive leadership and IT managers across six major industries. In this survey, 64% of respondents cited lost customer confidence as their primary concern.
It’s no longer “if,” but “when” and “when again” your company will be attacked. Worse, sometimes these intrusions can go unnoticed for months.
Of the 115,000 Cisco devices analyzed in Cisco’s 2016 Security Report, 92% had software with known weaknesses to security incidents.