The recent discovery of a database containing sensitive information from almost 200 law firms, is yet another chapter in the long-running saga around the difficulty in managing third-party (and in many cases, fourth-party) cyber risk. While some details around this particular incident remain in dispute, what is clear is that yet another service provider for the legal industry has exposed private data, forcing both the firms and their clients to scramble in response.
Unfortunately, this cycle has become common recently and is not just limited to the legal industry. Industries of all types are facing an uphill battle when it comes to cyber risk, which seems to be occurring as regularly as the changing of the seasons. Incidents like the ones described above, however, have at least one major characteristic in common with seasonal storms—preparation pays off.
Just like weather forecasts are useful tools in allocating resources ahead of a weather event, there are indicators available to help organizations predict the likelihood of a cyber threat and allocate scarce resources towards better preparation. These indicators exist for organizations, their key partners and their extended digital supply chain. Just as living in warmer climates increases the likelihood of hurricanes, the indicators explored below can serve as useful proxies for imminent and recurring cyber threats.
At-Risk Digital Identities
Have employee's digital identities been exposed? Breaches beget breaches, and unfortunately, over 20 billion exposed records are floating around the Internet, and the number grows daily. To make matters worse, the exposed records are often exposed by incidents involving non-corporate systems and services where employees used corporate email addresses, such as using a third-party travel agency for work or signing up for a fitness app through work. Usernames for corporate accounts (e.g., [email protected]) may not be enough to compromise a system on their own; however, many data breaches tie credentials to passwords, password hashes and other relevant profile-level details. Even if a user does not re-use passwords across systems, an easily guessable naming convention (such as Spring2020!, [email protected], Spring2020#, etc.) can be exposed, saving an attacker the work of guessing.
There are many sources of data available to find out if an organization's data is available to an attacker. Understanding the volume of exposure can calibrate how likely an organization is to have corporate credentials compromised, both during the time of current threats and against future threats. Equally important, though, is to understand what controls are in place to mitigate these threats. Multi-factor authentication to access the organization's systems is a powerful defense against attacks based on exposed records. Are all your third parties using multi-factor authentication? Unfortunately, we have seen that as many as 39% of organizations do not require this important control for accessing their networks.
Exposed IT Infrastructure Risk
Do companies have poor external IT infrastructure? Much like you can sometimes tell if a building will survive a storm just by looking at it, you can learn a lot about how well an organization can defend itself against common threats by assessing its technical infrastructure like servers, domain registration and configuration, and email system deployments. While this exploration may not tell you everything about an organization, particularly about their firewall practices, they can serve as a good initial indicator of whether the organization prioritizes cyber security hygiene measures, such as patching, and whether they strive for best practices in their IT operations.
Ask how they are configuring systems and compare those responses against what you have observed on your own. Tools are readily available to assist in evaluating this external IT infrastructure, offering a snapshot view of the external posture of an organization. Consider complimenting this snapshot with other data sources (such as the above exposed identity records), as well as attestation from the organization themselves about how they believe they configure systems. Asking questions about patching and configuration is helpful to know if they think they are doing what needs to be done. Comparing their answers to this available objective data is a powerful way to validate or refute their own assertions and prioritize a path forward to address deficiencies.
Incident Response Planning (Or Lack Thereof)
Are your partners ready to respond when something happens? Without a plan, no organization can respond effectively to any external threat, be it a weather incident or a cyber incident. Having procedures and policies that are formalized, shared with appropriate staff, and regularly tested can mean the difference between a minor inconvenience and being closed for weeks.
Ask who has plans and whether they test them. It is reasonable to ask a partner or vendor, especially if they are handling your sensitive data, "Do you have an incident response plan, and how often do you test it?" Asking these questions should be done as part of initial onboarding as well as during routine annual reviews. They should be kept handy in case of a sector-wide data breach or revisited in response to cyber incidents that do make the news, such as the example at the outset of this article. Those who have incident response plans and test these will be ready to respond to these threats, while those who don't will be caught unaware, struggle to meet, or both.
Unlike hurricanes, cyber threats do not have days of incoming warnings, teams of meteorologists tracking them, decades of verifiable impact data or consistent patterns of damage. Cyber incidents tend to hit quietly, usually late on a Friday, and with varying degrees of impact. Yet, all organizations know a cyberattack can hit them, and all organizations have varying degrees of susceptibility. Just as organizations prepare for storms, similar preparations can greatly reduce the likelihood and impact of future cyber incidents. Whether the source of the incident is from within the organization or from a trusted partner, the storms and cyber risks will return. The only question remaining is how ready will your organization be?