In today’s connected world securing your own network is simply not enough. Today your digital risk extends not only to your own servers, PCs and other devices in your offices and other locations; it also extends to your mobile workers and other staff working from home, customer sites and other remote locations. But the third, and often ignored, area of digital risk is your supply chain; companies that have access to your employee and customer information.
The risk was underlined again last week with two stories I saw – first a well-known Denver based car wash confirmed many of its point of sale terminals had been compromised, revealing customers’ personal details. Then in the UK, a parking app confirmed its network had been compromised, exposing more customers’ details bank and credit card numbers. Taken in isolation these incidents appear to be ‘just another case of data breaches’ but in reality, they should be a worry for all security teams across governments and companies around the UK and further afield. The trouble is we know that people are lazy and often use the same email addresses and passwords across multiple sites. Research last year suggested that many people think nothing of using their company email address and the same passwords they have in the office when accessing a wide range of services and online sites.
So, what happens when cybercriminals get hold of their details and passwords via a car parking app or a cleaning service? Criminal organizations running online scams and hacks know that a large percentage of people using car services will be corporate employees, and that a good way to circumvent the millions of dollars a year spent on cybersecurity is to target the suppliers and companies we use outside of work. Sometime ago I heard about a car chauffeuring business which was similarly targeted and compromised. The actors used executives’ personal details to target them via phishing and other targeted attacks.
The trouble is that in this connected world we all have a large digital footprint, a shadow of our activities and interactions across the web. While this footprint can be advantageous, information can be inadvertently exposed and thereby used maliciously. Besides damaging your brand, a digital shadow can leave you vulnerable to corporate espionage and competitive intelligence, as well as create targets for cyber attackers.
So, we cannot wash our hands when we have built the best possible defences for our own businesses and networks. Today the network is vast and continually growing. We are not the only people to leave behind traces online, the adversary also casts a shadow like that of private and public corporations. We can use that information to understand attacker patterns, motives, attempted threat vectors, and activities on the dark web, to better assess and design your security postures. By ensuring we have the necessary visibility to manage our own digital risk and ensure we have warning and knowledge of any threats which might come via this extended connected network of suppliers, employees and other third parties. In that way, we can hope to become more secure and enjoy the huge benefits the digital world brings us.