No Enterprise Is An Island — And Cyber Security Defenses Shouldn’t Treat Them Like One
Each year, businesses and government organizations pour millions of dollars into cyber security defenses that are built on a single fallacy: that the enterprise can be defended like a castle. IT and security professionals create strategies that focus only on their own companies, with little or no consideration of the organizations they do business with.
Enter the headquarters of any large enterprise, and you’ll see that it is much more like an open marketplace than a castle. Each day, organizations interact — in person and online — with dozens, even hundreds of other organizations, exchanging data, making transactions, handling logistics, and obtaining needed goods and services. Virtually every enterprise is part of a vast supply chain — an industry or community — that involves many participants. Doing business with others is the very reason that these organizations exist.
Yet, most of these organizations build their cyber security defenses as if they were islands. They buy their own security technology, maintain their own security teams, set their own security policies, and monitor their defenses primarily only for themselves. They do little, if anything, to ensure that their business partners are maintaining effective defenses, or that the interdependent systems and applications of the entire supply chain are completely secure.
Cyber criminals and other attackers understand this vulnerability. Recent security breaches at Adobe, Facebook, Twitter, and The New York Times all began with compromises not in those enterprises’ own environments, but with breaches of suppliers and partners. One of the greatest security breaches in history – one which affected dozens of major retail and financial institutions and millions of consumers – began with the compromise of a single, common supplier, Heartland Payment Systems. In all of these cases, the cyber security failure took place not in the enterprise’s own defenses, but in its supply chain.
If enterprise security is ever going to improve, organizations must change their mindsets and begin to look beyond their own walls and IT domains. They must go beyond their own internal firewalls, routers and applications and look more closely at the shared infrastructure and applications that make up their lines of business. Just as they track shipments and financial transactions from source to destination, enterprises must track data across organizational borders and monitor the efficacy of all the entities which will handle it. For most organizations, supply chain security should be as important as — if not more important than — enterprise security. This mindset is not only essential in defending critical infrastructure, such as funds transfer networks or electrical grids, but in any industry where businesses rely on each other to operate.
Getting Involved With Partners
One reason that enterprises fail to get involved in supply chain defense is the mistaken belief that they cannot change the way their suppliers and partners maintain their separate defenses. But in most cases, all partners have an equal stake in maintaining security, and there are sometimes industry standards such as healthcare’s HIPAA or retail’s PCI DSS that provide a strong starting point for inter-organizational communications. But such guidelines are not enough to ensure that data is safe as it passes through the supply chain. Enterprises must also ensure that the applications that handle the data — the underlying software and infrastructure of the supply chain — is free of vulnerabilities as well.
To begin with, organizations should proactively seek ways to certify that their partners’ applications and networks are secure before allowing them to connect to the parent enterprise. Formal industry-level vendor testing programs are still in their infancy — but there are a growing number of attacks at the application, transport, and network layer. Third party testing programs and services are some of the easiest and best ways for an organization to ensure that digital connections are safe – before information flows through them.
Ideally, organizations should implement a mandated, holistic security governance initiative with their business partners. In such an initiative, developers writing software code would be trained to build security into the entire software development life cycle (SDLC), and software quality assurance and testing would ensure that all code tested meets stringent security policies set forth for doing business. Organizations could even put programs and incentives in place to reward the teams that contribute to software development, ensuring that security checks and policies are met before applications are released into production. And once the application moves into production, security checks should be part of the regimen in all of the network operations and data centers involved in the supply chain.
And it doesn’t stop there. Even when applications are operating effectively and securely, they are constantly under scrutiny by attackers looking for vulnerabilities or points of entry. Enterprises along the supply chain should persistently and continuously test their applications, monitor their status, and report on potential problems in real time, preferably through third-party certification services. Such regular assessments help to ensure that applications along the chain are clear of vulnerabilities, and help mitigate the risk of a major breach among any of the partners.
Today’s enterprises have made great strides in organizational cyber security, but as recent breaches attest, they must extend their efforts to encompass those entities with which they interact every day. Only through this sort of broader initiative can they build a defense that is truly effective in protecting their data — and their business.
Bala Venkat is Chief Marketing Officer at Cenzic.
Click here to learn more about the Cenzic Partner and Vendor Application Security Certification program