Friends don’t let friends compromise security: Extending cybersecurity to supply chains

Network attacks are on the rise, and as with all things security, it’s always best to get ahead.

This summer, the Wall Street Journal ran a story about Russian hackers infiltrating “air-gapped” networks of US utility companies with “relative ease” as just one part of a tale that’s becoming all too common. The NY Times described another scenario where a security researcher with Cyber Security firm UpGuard found tens of thousands of sensitive documents from major auto manufacturers planted on the open internet, including engineering plans, factory schematics, contracts, and non-disclosure agreements. And though they’re not cyber attacks per se, we also saw serious data privacy breaches with Facebook via Cambridge Analytica and Google via the Google+ API bug.

What remains consistent throughout these incidents and the countless others like them? Each one resulted from the exploitation of weak security by third parties like partners, suppliers, and customers. Whether intentional acts by bad actors, or through insufficient data controls, these incidents are always a possibility.

As the NYT article lays out:

“Many of the worst recent data breaches began with a vendor’s mistake. In 2013, thieves infiltrated Target’s payment terminals and stole credit and debit card information from 40 million customers. The attackers got in by hacking one of Target’s heating and ventilation contractors, then using information stolen from that business to gain access to Target’s systems.”

A November 2017 study of CISOs from Ponemon Institute found that only 22% of organizations hold their business partners, vendors, and other third parties to high security standards. Even more astonishing is that this comes in spite of the fact that over half the companies surveyed had suffered a breach as a result of a vendor’s lax security posture. In life-critical areas of our economy, such as the utilities sector, regulators are recognizing exactly how big of a risk this is. Just this week, the Federal Energy Regulatory Commission (FERC) approved new cybersecurity standards for supply chain risk management inclusive of documented management plans, electronic security perimeters, where vendors operate, and configuration change management and vulnerability assessments.

As Microsoft partners, many of you are directly involved in assessing, mitigating, and implementing security solutions for our mutual customers. Microsoft now has over 100 Co-Sell Ready third-party security solution offerings from our partner community, including Cloud Security Assessments, Advanced Threat Analytics onboarding, Secure Score implementations, real-time spear phishing and cyber fraud defense, EMS Managed Services, MFA deployment, training, and many others. However, how often do you expand the security work you do with our customers through their extended supply chain? How often do our customers even consider this at all?

Selling on fear isn’t always the best approach, yet sometimes, we notice complacency with our customers who have yet to experience the agony of a serious data breach loss. Customer obsession can sometimes make for uncomfortable conversations about the risk our customers are opening themselves up to. By not taking the appropriate protective action for their environments, all the way through to a partner’s IT environments, there is a legitimate risk factor that our customers need to know about. But what if establishing a strong defense beyond the customer’s IT estate is impractical or impossible? How should our customers respond then?

Matt Soseman, one of our security-focused Cloud Solution Architects posted an excellent summary back in July of our client security services: Preventing a data breach, avoiding the news, and keeping your job. In it, he details the importance of treating Identity as the new perimeter. It doesn’t just matter how tightly you’ve locked down your network and data, if your identity is compromised, that protection is meaningless. I absolutely suggest taking a closer look at this piece.

Our recommendation to partners involved in a security conversation with our customers, whether it is fundamentally a security engagement or as a consideration of a larger project, is to follow these three steps:

  1. Offer cyberattack simulations for your customer’s vendors on behalf of your customer. Office 365 Attack Simulator is a great example of a tool we use internally at Microsoft as well.
  2. Require Multi-Factor Authentication for any third-party organization that touches your customer’s systems/data. Azure Multi-Factor Authentication is a great solution for Office 365 and thousands of other cloud SaaS offerings.
  3. Enable Conditional Access via Azure Active Directory and combine with a robust policy for vendor access to privileged customer data.

These techniques and many more are detailed in Matt Soseman’s blog as well as through our Modern Workplace Webcast series, which you can register for here.

Scott Emigh is the Chief Technology Officer for Microsoft’s US One Commercial Partner (OCP) organization. With an extensive background in tech and solution sales, Scott leads a national team of Solution Architects, Evangelists, and Strategists all focused on developing and enabling our US partner ecosystem – ISVs, System Integrators, Managed Hosters, and Volume Channel. Our mission at Microsoft remains steadfast – to empower every organization on the planet to achieve more. Our partner ecosystem is at the forefront of bringing this powerful mission to life. OCP will work to transform our partner ecosystem and simplify the programs and investment structure for our partners to drive growth and profitability. We will provide the programs, tools, and resources you need to build and sustain a profitable, successful cloud business.