RiskXtraJune2019

More documents

Recommendations

Info

x RISKXtra Professional Services: A New Breed of Third Party Cyber Risk to Manage In the UK, we are now predominantly a services-based economy. That realises a vast and complex supply chain of professional services companies (ie businesses that offer not tangible goods, but rather knowledgebased skills that cannot be sourced inhouse). Azeem Aleem observes the cyber security implications Professional services companies often have privileged access to their clients’ IT systems and store highly sensitive customer and corporate data. That means they represent a cyber security risk. A detailed NTT Security poll conducted only last year found that an overwhelming number (60%) of global business decision-makers believe third parties like these to be the weakest security link in their organisation. Fixing this problem will require a rigorous, risk-based approach focused around security Best Practice and achieving visibility, control and continuous improvement. Professional services are, in many ways, the lifeblood of the UK’s economy. According to PwC, firms that carry out auditing, advisory, tax and similar account for 15% of the UK’s GDP, 14% of employment and 14% of exports. Even that estimate is likely to be on the conservative side. In fact, the sector covers a vast swathe of businesses including law firms, architects, accountants, advertising and marketing agencies and many more. Professional services can include virtually anything that might be thought of as a knowledge-based skill. As such, digital infrastructure is vital to the smooth running of these services, enabling seamless online collaboration, reporting, analysis and auditing. Yet where there’s data, people and money, there’s always cyber risk. According to NTT Security’s data, the business and professional services sector became the most attacked in the EMEA last year, accounting for just over 20% of all attacks. It was third globally, comprising 10% of attacks. Part of the problem stems from the sheer size and complexity of modern digital supply chains. Last year, one vendor reported that the average US or UK company shares sensitive data with over 580 third parties, with nearly 60% of them having experienced a breach caused by one of these firms. Three-quarters suggested they thought such incidents were increasing. Visibility appears to be a major challenge, though. Over a fifth (22%) of respondents to the study claimed they didn’t even know if they had suffered a breach episode. It also appears as if third party risk may still not be receiving the Board-level attention it deserves: only a third (37%) of respondents claimed they have enough resources to manage supplier relationships, while a similar number rated their third party risk management programme as being highly effective. Supply chains under attack Attackers are targeting professional services firms with one of two goals in mind. They’re either after sensitive client data stored by that firm or are targeting the supplier in a kind of ‘stepping stone’ or ‘island hopping’ attack focused on infiltrating the networks of its customers. Half of all attacks analysed recently by one vendor used ‘island hopping’ tactics. Examples of both types of threat are numerous. Law firms represent a particularly attractive target given the large volumes of sensitive information they hold on clients. Perhaps the best example of the potential risks involved comes from two infamous data leaks at separate law firms dubbed ‘The Panama Papers’ and ‘The Paradise Papers’. These episodes exposed the offshore tax avoidance plans of a large number of businesses, celebrities and even world leaders, destroying the trust these customers placed in their legal advisors and putting one of the law firms in question, Mossack Fonseca, out of business altogether. The threat posed to the legal sector is clearly growing, as both financially motivated cyber criminals and nation states look for valuable data on M&A deals, patents and other sensitive 52
Cyber Security: Risk Mitigation for Professional Services client information. A PwC report from 2017 claimed that 60% of law firms had reported an information security incident over the previous year (up from 42% in 2014). That same year, the UK Solicitors Regulation Authority estimated that circa £11 million had been lost to cyber crime in the previous 12 months. Sometimes, professional services firms are their own worst enemy when it comes to risk exposure. A 2018 report found over one million corporate e-mail addresses belonging to staff at the UK’s Top 500 law firms for sale on Dark Web sites. Most were linked to a password, offering cyber criminals a simple way in which to crack open corporate accounts. It’s believed employees had used these corporate credentials to register accounts with consumer sites like Facebook and LinkedIn, which were subsequently breached. Nation states join the fray In the other type of attack, professional services firms are targeted with a view to compromising their clients. Operation Cloud Hopper, uncovered in 2017, saw an attack group (namely APT10) with links to the Chinese state compromise managed service providers (MSPs) on an “unprecedented” scale. “Given the level of client network access MSPs have once APT10 has gained access to a MSP, it’s likely to be straightforward to exploit this and move laterally to the networks of potentially thousands of other victims,” noted PwC. “In turn, this would provide access to a larger amount of Intellectual Property (IP) and sensitive data. APT10 has been observed to exfiltrate stolen IP via the MSPs, hence evading local network defences.” Other techniques include ‘watering hole’ attacks, whereby the website of a professional services firm is compromised in order to spread malware to the computers of partner organisations whose users are likely to visit it. One vendor has even warned of a ‘reverse business e-mail compromise’ attack in which hackers compromise the mail server of a supply chain organisation in order to spread fileless malware to trusted partners. The cyber risk from third party professional services firms doesn’t just include data theft, either. Below par security among suppliers could also expose organisations to the threat of ransomware. According to NTT Security’s findings, business and professional services firms experienced the second highest rate of ransomware infection globally last year. Given the scale of the threats confronting organisations, it’s time to elevate third party risk management to the level it deserves. The “The cyber risk from third party professional services firms doesn’t just include data theft, either. Below par security among suppliers could also expose organisations to the threat of ransomware” National Cyber Security Centre has developed some useful guidance setting out four key principles which should inform any programme. These are: understand the risks, establish control, check your arrangements and then work towards continuous improvement. Understanding the risks means being clear about what needs to be protected and why, knowing who your suppliers are and being aware of what – if any – security gaps they have. Establishing control is all about communicating minimum standards expected of suppliers, building these considerations into contracts and providing cyber security support to suppliers where and when needed. Assurance requirements – such as pen testing and/or formal certifications – should then be built into supply chain management. Finally, it’s a case of encouraging a culture of continuous improvement and mutual trust. This will need to develop through time as supply chains evolve and change over time. Risk-based foundation No organisation can expect to be completely insulated from cyber risk, but this approach seems to set a useful risk-based foundation upon which to build. As for specific steps that we would recommend, they should include first conducting data auditing to understand what needs to be protected and which suppliers handle which high-risk data. Best Practice security controls and processes can include tighter access controls along the lines of least privilege, enforced with risk-based multi-factor authentication. Anti-malware protection and threat detection are also a ‘must’ on endpoints, networks and servers, as well as for e-mail and web gateways. Regular patch management should be another ‘given’, alongside continuous network monitoring. Incident response and pen testing plans must be run regularly to ensure IT teams have an up-to-date view of their risk profile. Modern techniques like threat hunting can also provide a more proactive approach towards security which will help in heading off any attacks before they impact the organisation. Finally, don’t forget the role of people in the security environment. They’re often thought of as the weakest link, but if properly trained they can provide a welcome first line of defence. Azeem Aleem: Vice-President of Consulting at NTT Security 53 www.riskxtra.com>
Page 1 and 2: x www.riskxtra.com RISKXtra Securit
Page 3: x RISKXtra June 2019 Contents 44 Th
Page 6 and 7: x RISKXtra Surveillance Camera Comm
Page 8 and 9: x RISKXtra IFSEC International welc
Page 10 and 11: x RISKXtra Advertisement Feature In
Page 12 and 13: x RISKXtra Fatal Accidents and Crim
Page 14 and 15: WORLD CLASS. BRITISH MADE. Chris.E
Page 16 and 17: x RISKXtra BSIA Briefing their prop
Page 18 and 19: x RISKXtra The Centre of Attention
Page 20 and 21: D E S I G N I M A N U F A C T U R E
Page 22 and 23: FIRE SAFETY Andrew Speake: National
Page 24 and 25: FIRE SAFETY “We’ve lived by BS
Page 26 and 27: FIRE SAFETY Pulse Alert Visual Alar
Page 28 and 29: FIRE SAFETY Roland Martin-Bessey (o
Page 30 and 31: FIRE SAFETY Voice is Choice for Eme
Page 32 and 33: x RISKXtra The Changing Face of Sec
Page 40 and 41: x RISKXtra Meet The Security Compan
Page 42 and 43: x RISKXtra Meet The Security Compan
Page 44 and 45: x RISKXtra CSyP: The Gold Standard
Page 46 and 47: x RISKXtra Most security business s
Page 48 and 49: x RISKXtra Detector Selection: Do Y
Page 50 and 51: x RISKXtra The Dawn of Intelligent
Page 54 and 55: x RISKXtra Professional Development
Page 56 and 57: x RISKXtra Risk in Action Risk in A
Page 58 and 59: BENCHMARK Smart Solutions BENCHMARK
Page 60 and 61: x RISKXtra Appointments David McCan
Page 62 and 63: ACCESS CONTROL ACCESS CONTROL ACCES
Page 64 and 65: DISTRIBUTORS LEADING DISTRIBUTOR OF
Page 66 and 67: SECURITY LIFE SAFETY EQUIPMENT INTR
Page 68: Secure operations 24/7 to see all t

RiskXtraJune2019

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?