Cybercrime or cyberespionage is not something you only see in a spy movie. The harsh reality of today’s world is that people steal information for power and financial gain. Almost any business can be a target whether directly or indirectly. We have seen well-publicized attacks, like those at J.P. Morgan Chase and Home Depot in recent weeks, but many of the most damaging go under the radar.
One strategy that hackers and others are taking is to attack suppliers and business partners of targets. Rather than attacking General Motors or a large government agency, why not attack one of its smaller suppliers? These companies have sensitive information from the larger organization, but may not have the same level of security controls on the information. Just like a burglar will go for the open door, the hackers will go for the easy target.
Gone are the days of having to break into a physical office or waiting for ‘insiders’ to gather information and pass on secrets. Rummaging through a company’s garbage cans was an old way to collect data when most secrets were on paper, but today this and paying office staff to collect data is not very efficient. With the right computer hacking skills (which are getting easier to acquire), individuals and organizations can spy on companies and obtain valuable information, without ever having to leave the comfort of their office. If you want to see how vulnerable you could be, put a Windows or Linux system on the Internet without a firewall in place. I can guarantee that within minutes you will be hacked.
Government agencies, defense departments, critical infrastructure businesses and large companies in virtually every industry, all recognize they are prime targets for attacks. Most of these organizations are likely to have invested in robust security measures. By contrast, many of the suppliers or contractors that work with them may not have a good understanding of the current threat landscape, or what’s required to keep ahead of the attackers. This creates opportunities for attackers to gain access to their prime target through the vulnerabilities in a smaller supplier’s or contractor’s systems. This could even extend to an individual consultant or temporary worker that has access to sensitive files.
The best way to protect against this threat is to protect sensitive files when you create them. If you encrypt a file and apply permission controls to it, you are always in control of that file. If a hacker gets access to the file from a supplier’s network or vulnerable server, the information is useless to them. Since they don’t have access rights to the file, it’s just random characters.
It’s important to have adequate layers of security defenses, like firewalls and anti-virus/malware, but this is only protecting the front door to your information. The bad guys want what’s inside, your sensitive information. The best strategy is to protect those files with a lock that they can’t break.
Make sure you lock your own information, but make sure you check on your supplier’s and contractor’s. Their vulnerability could be your undoing.
Photo credit walknboston