A house of cards: securing digital connections across organisations

File sharing and messaging systems between organisations can become an open outlet for your data. How can you protect your digital pathways while collaborating?

Every company relies on communications and interfaces with other organisations, whether that’s for professional services like legal services or consulting, or for the licensed software products which make up their internal infrastructure. Of course, we need these lines of communication open to effectively collaborate. But how secure is it really?

Our relationships with partners & suppliers significantly influence our own organisation’s security posture

Whenever an organisation integrates a tool with a third-party, it immediately becomes reliant on how secure they are too. This could be as simple as opening up a file sharing platform for consultants to access on their work laptops so they can better collaborate with your internal teams.

When we open our environment, we implicitly trust the data and files which are on these platforms, while also exposing ourselves to risk. For example, opening a file share or messaging platform means you often have limited control on what information can or will be uploaded. Still, sending through malicious files isn’t usually a conscious decision. Malware may already be installed on your partner or vendor’s environment in a previous breach caused by lax security policies.

Taking this one step further, companies are often reliant on third parties managing their own identity and access management systems, creating a “federated” security environment. It’s critical for these systems to be effective and up to date including the removal of anyone who has left the company. Breaching these vendors in your software supply chain can lead an attacker directly into yours - finding old credentials and forgotten leavers are a free pass straight into your environment.

What can be done?

It’s too laborious a task for individual security analysts to keep track of all the data and access across your distributed environment. The only way to do this effectively is by automating security analytics and protective tasks using artificial intelligence. Until we have solutions like this available in the broader marketplace, it’s critical that we work closely with our partners and vendors. This means the chief information security officer (CISO) and security team should be involved in our sourcing and procurement discussions, working to mitigate any potential risks and ensuring there’s cohesion across security policies.

Otherwise there’s an opportunity for the wider industry to smooth over these interactions by adopting an objective “cyber hygiene” score, providing a level of trust across organisations as their counterparts have at least been set up in a secure manner. We can take inspiration from the Food and Beverage industry labelling practices, where ingredients, recommended dietary intakes and the traffic light system are being used as tools to inform decisions. Making these types of assessments over an internal infrastructure need to be automated as much as possible, otherwise the deployment at scale across industry can become manual and arduous.

These extra efforts might be seen as uncomfortable or inconvenient but they’re important to ensure that second order risks are being appropriately protected. These are the ones being used by threat actors every day to launch even more sophisticated attacks and end up making our infrastructures look like a ‘house of cards’.

A little pain now can avoid large-scale disruption and widespread business impact later caused by these silent insider attackers.

Originally published in the Evening Standard

Previous
Previous

The imitation game 2.0: a race to build quantum computing

Next
Next

Gatekeeping data: protecting ourselves against the ‘bad leaver’