Why Paranoia is a Good Thing
As Harold Finch was fond of saying in Person of Interest, ‘It’s not paranoia if they really are out to get you.’ The old security model included a perimeter, with a gate and an inner wall. We called it the DMZ. With customers and vendors increasingly connecting to internal systems to submit orders, bills, and to provide other services the perimeter is dead. What that didn’t destroy, SaaS and XaaS have through shadow IT which lets anyone with a corporate card purchase outside IT services, often with little to no oversight from IT or Security.
Elite hacker groups are now going after these secondary providers. Target was compromised through their HVAC service company. Airbus was hacked through a vendor. So were both Lowes and Home Depot. The list continues but I think you get the point. Not only do you need to worry about your own security, but you need to worry about everyone who connects to you. This includes any Shadow IT services.
Once inside a vendor, the average times for these groups to move laterally through the vendor are stunning. In just 7 minutes another system is compromised. Once the vendor is sufficiently ensnared, the attackers can go after their real prize, the major corporation. In the case of the retailers above (Target, Lowes, Home Depot), this meant the loss of millions of credit cards and customer identity data. For Airbus, it meant employee data and trade secrets to China including some secret data about military aircraft.
The bigger issue here is that you may be a target simply because of who you do business with. While landing a large contract with a large customer is certainly cause for celebration among smaller businesses, it should also be cause for reflection on security processes and posture so that you don’t jeopardize the business relationship you have worked so hard to obtain.