Issue Eighteen
October 2022
Data is the currency that fuels our digital economy. Without it, we move blindly through the marketplace reaching for guardrails we can’t see, hoping they even exist. Data-driven strategies illuminate the path for strategic investments and have therefore become a competitive necessity. We realize efficiencies and economies of scale through the intelligent use of meaningful data.
We realize similar power from strategic partnerships, keeping our organizations agile and focused, leaning on the expertise of specialists. These partnerships are chartered with many responsibilities, but none more important that protecting the organization itself. The price of accountability is at an all-time high.
Regulatory bodies are seeing the light as the SEC and FTC work to enhance their rules and requirements for cybersecurity and data privacy. These are both worthy efforts to follow as there will most certainly be a tangling of regulated and unregulated industries through third-party supply chains.
We’re transformed, we’re connected, and we’re amassing and leveraging data as our currencies every single day. We must work in earnest to gain visibility and control of our organizations and everything that touches them. This month’s issue of Target Lock sets its sights directly on the criticality of governance, enterprise risk management, and regulatory prescience as the true north for business viability and sustainability.
ZEROING IN
Third-party attacks spike as attackers target software connections
Within our digitally transformed world, every point of connection into your organization - whether a vendor, locally installed software, or a SaaS platform - represents a potential risk; these risks extend far, wide, and are increasing exponentially. In fact, according to a recent study, supply chain and third-party cyberattacks have increased by 650% within the past year, with 45% of organizations experiencing at least one supply chain-related attack in the past 12 months.
"Third-party vendor attacks are growing because of this amplification effect. The level of access or data open to potential exposure throughout the supply chain presents threat actors with a means to hit more targets with more consistency and success."
Locating points of compromise through third-party tools and services - an attack surface with deep and expansive pathways - often provides detailed relationship mapping and ultimately jumping-off opportunities for downstream attacks which are highly targeted.
"The moment they know more about your relationships and your automated processes that you do, you’re in serious danger.”
The imperative for every business and organization, irrespective of size, is to gain comprehensive visibility into their supply chain, no matter how innocuous any point of connection may seem. Additionally, third parties should provide attestation as to their own cybersecurity program and posture - this level of mutual responsibility and accountability represents the only path forward towards making tangible progress in securing our global supply chains.
“The great lesson should be there are no innocuous connections, there are no intrinsically safe partnerships.”
SQ Insight: Kenneth Holley - Chairman
A 'nightmare scenario': Data-tampering attacks are hard to detect, with devastating consequences
While ransomware and the disclosure of sensitive data remain top cybersecurity concerns, attacks involving the manipulation of data could pose a significantly larger threat in the not-to-distant future; something that the majority of business and security leaders simply aren't focused on or largely aware of. And while not unprecedented, this type of threat is comparatively the most nefarious and the hardest to detect. Additionally, data manipulation could be used to fortify efforts around misinformation / disinformation.
"What happens when you can't trust your own data? This is a nightmare scenario.
"While technologies for protecting against data integrity attacks have existed for some time, use of such wouldn't necessarily detect changes in data by someone who appears to be an authorized user, whether leveraging stolen credentials or through malicious insider behavior. And given the world's increasing reliance on algorithms, adversarial threats against machine learning models pose an additional and serious concern, with the stakes high for protecting that ecosystem.
"While data manipulation may only constitute a simmering threat at this point, we know that the potential consequences could be pretty major for this type of attack..."
It's clear that within today's digital threat landscape, seeing is not necessarily believing any longer. This underscores the need for organizations to strengthen their cybersecurity program with particular emphasis on identity management, all through a risk-based approach.
"There's been a shift in how our society is making decisions and the type of information we're making decisions on — whether it's an enterprise or the government or an individual, and that information can easily be manipulated."
SQ Insight: Kenneth Holley - Chairman
New York’s Department of Financial Services Proposes New Cyber Compliance Requirements
Regulatory prescience.
I suspect that for many readers, the headline “New York’s Department of Financial Services Proposes New Cyber Compliance Requirements” does not provoke interest and is easy to dismiss.
“Our company does not do business in New York,” “We are not regulated by the DFS,” “Our company is too small,” or “We are not a financial institution.” I might suggest you pause and take a moment to read and reflect.
The newly proposed cybersecurity requirements by the New York DFS are another in a series of actions by regulators to make a priority of cybersecurity governance, risk management, and compliance. Take for example the Security and Exchange Commission’s proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting announced earlier this year. Again, it is easy to dismiss this development if you are not a publicly traded company.
Consider as well, the introduction and passage out of committee of the American Data Privacy and Protection Act, a significant development with many urging passage. And if that were not enough, the Federal Trade Commission announced a proposed rulemaking intended to address privacy regulations and data security.
“But, none of these apply to my company. Why should I care?”
The trend is clear – cybersecurity governance, risk management, and compliance are imperatives for any business in any sector. Evidence of good cyber hygiene is fast becoming the price of admission for businesses seeking to provide products and services to other businesses.
Case in point, let’s revisit the DFS proposal as a prime example of how rules of this nature will impact the entire supply chain. The DFS proposal defines a third-party service provider as any person that “provides services to the covered entity; and maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.”
In other words, if your business, regardless of size or annual revenue, provides services to a company subject to the rules, you will be required to maintain a cybersecurity program and implement policies and procedures designed to ensure security and confidentiality. So, while not directly regulated, third parties are becoming quasi-regulated entities in that covered entities will demand evidence of compliance if you wish to become a third-party supplier of products or services.
Third-party suppliers -- take heed. Any business that does business with a regulated entity should review your cybersecurity program and overall cyber hygiene. The “we are not a regulated entity” is no longer a sustainable argument and adopting that posture is likely to result in financial and reputational risk.
These regulatory developments are the canary in the coal mine. Compliance, much like cybersecurity, will require strategic planning and budgeting today to prevent playing catch up in the future.
SQ Insight: Tony Ogden - President, GRC
