UXC Saltbush NSW Manager David Begg explains why protecting your information assets is not just about ‘stranger danger’ – threats can come via the best of friends!
In assessing and managing your information security risk, you must look beyond your own enterprise. The organisations you do business with may be a soft target, even if you aren’t. If your systems are connected in any way, you’re potentially creating a back door for cybercriminals.
Astonishing examples include:
- Hackers who stole millions of Target’s US customers’ credit card details in 2013 came in via the systems of the retailer’s air conditioning contractor.
- Here in Australia, at least four tax agents had their digital certificates breached in 2013 in order to steal taxpayer information – although the ATO assured the public that the risks were contained and only potentially affected 20 taxpayers.
- When security provider RSA was compromised in 2011, probably by a foreign government, the end targets of the attack were its customer Lockheed Martin and other US defence contractors.
Not policing electronic exchange of data potentially makes an enterprise as vulnerable as its smallest, least-technically sophisticated supplier – or, as in the third example above, even when that partner is itself a world-leading security vendor!
ISO 27001 Recommendations
It’s an issue that was addressed when the internationally accepted info security standard was updated a couple of years ago: the single biggest change to ISO 27001 covered supplier relationships. Accepting that it’s too hard to police the cyber defences of all the entities you deal with yourselves, it recommends you:
- Identify all organisations you deal with
- Understand what the relationships are in terms of what access is needed to what data
- Assess the risks of dealing with the entity
- Determine how to limit or mitigate those risks
For example, you could force multiple smaller suppliers or certain transactions through a secure portal. In the case of major suppliers, or those needing access to confidential data, you could require them to institute standards such as PCI or 27001 for their own systems.
In a recent article, my colleague Dave Jarvis says there are three realities senior executives must accept today: your enterprise is connected, you will experience data breach and you won’t necessarily know it happened. Paying due attention to how you connect with your friends will reduce the risk you’ll be attacked by your enemies.
- The 3 realities of ICT security all senior executives must accept
- Man the barricades... What barricades?
- Vulnerability Assessment versus Penetration Testing
About the Author
David Begg is NSW Regional Manager for UXC Saltbush. An experienced Information Security Specialist with over 18 years in the IT industry, he previously held senior roles with NSW ServiceFirst and Ernst & Young before joining Saltbush in 2010. He specialises in the development of information security frameworks and policies, ISO 27001 certification and keeping senior management abreast of security issues.