Businesses integrate their networks so they can streamline business processes. The goal is to lower operating costs and achieve higher operating efficiency. But in addition to the benefits, there is a significant level of risk that is introduced when a connection is made to a network outside of a company’s domain of management. Many organizations, to protect themselves, provide a baseline of security requirements which business partners must comply with. This checklist of requirements range from secure HTTP access (HTTPS), dedicated firewalls, multi-factor authentication, private subnets, and even the type of encryption that the partner organization should leverage. The goal is to ensure the partner’s network is as secure as their own.
Cybercriminals know the virtual supply chain that exists between companies. They know the adjacent companies that have direct connections to their target organizations. So by creating a network connection to a third-party, organizations are increasing the attack surface of their own network. In the past few years, we have seen many companies get breached and the point of compromise is through an unsuspecting business partner, who is often a much smaller company where the security posture and level of expertise is less sophisticated than the target company. This makes it easier for cybercriminals to gain access to the network and find a backdoor into the target organization. And, because there is trusted traffic that goes from the target to the business partner, it is difficult to detect anomalies that would indicate a compromise.
There is no single answer to this complex challenge. Standards such as the Payment Card Industry Data Security Standard help raise the security bar for all parties involved in the lifecycle of a credit card transaction. Based on the number of credit card transactions organizations can be subject to a quarterly audit by a Qualified Security Assessor. This standard ensures a baseline level of security across all parties to minimize everyone’s risk — including the consumer.
Another common practice is for publicly traded companies to require privately owned business partners to comply with Sarbanes-Oxley if they want to do business with them. This is a significant cost for the privately-owned company but it does help protect the publicly traded companies from risk of a business partner with a subpar security posture.
Companies that open and extend their networks to third-parties need to define, enforce, and audit a set of baseline requirements to minimize their own risk. Without that level of extended governance and risk mitigation, they should never expect what they don’t inspect.