What’s better than two parties? A third party, according to many cyberattackers today, as threat actors frequently target providers of popular IT services.
While a hospital, auto dealer, or bank cannot easily control the security controls of their off-prem partner, a disaster-recovery plan has a chance to ease any outages when a supplier gets cyber-struck, according to IT pros who spoke with IT Brew.
This year has already seen disruptive supply-chain attacks—where the compromise of one vendor has led to IT consequences for the vendor’s many partners.
- NBC News on June 24 reported how auto dealers reverted to manual paperwork after a cyberattack hit digital-services provider CDK.
- That same month, NHS hospitals similarly documented patient blood tests without computers after a cyberattack, according to The Guardian.
- In January, Bloomberg News revealed that banks resorted to Excel, following a cyberattack on transaction-processing firm EquiLend.
“In these instances, they’re not taking a couple hours to recover. This is days, if not weeks,” Rob T. Lee, chief of research and faculty lead at SANS Institute, told IT Brew, of organizations impacted by third-party service outages.
Company cyber-incidents frequently fit the description of a supply-chain attack. Who, after all, doesn’t offer or use a third-party service?
“If you are a software supply-chain company or you make donuts, it doesn’t matter—you have a supply chain of some sort. [If] you make something, it goes to market, and you sell it and you have customers, you have their data,” BlackBerry VP of Product Christine Gadsby told IT Brew in June.
Threat actors take advantage of the inherent trust placed into a given partner, Victor Acin, head of threat intelligence operations at security firm Outpost24, admitted.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Without being involved in their security processes, you can only hope they are doing it right,” Acin wrote in an email to IT Brew, adding that orgs must understand a vendor’s risk-management practices and the types of (critical) data the vendor receives.
Start your backups! When trust ends up in the IT strategy, Tony Anscombe, chief security evangelist at cybersecurity company ESET, recommends a cyber-resilience plan—a run-through in case of Armageddon.
How might that look for a small auto dealership? Maybe the IT crew, operations manager, a PR pro, and a service-provider rep meet during closing hours and work through questions like, after a loss of connectivity, how will they sell cars?
“Because that [scenario] could also be that somebody digging the road outside puts a spike through their broadband for half a day,” Anscombe said.
In a tabletop exercise, the team may determine cyber-incident response like delaying billing, using invoice templates in Word and printing them locally, notifying customers, or contacting a cyber-insurer’s in-house incident-response team.
A Gartner survey of 376 senior executives, conducted between July and August 2023, determined that 45% of surveyed organizations experienced third-party-related business interruptions.
Lee, who has helped with business continuity efforts in previous professional stints at the cybersecurity firm Mandiant and the Air Force Office of Special Investigations, compared cyber-resilience to the plans he experienced as a former Air Force crew commander. A more emotionally impactful training, he said, resembles the battlefield.
“Once you start adding the pressure of, ‘You’re getting targeted’...Wow, that completely changes the dynamic of everything,” he said.