Let’s go back in history for a moment to when the Hawaiian islands had not yet been discovered by Europeans. It was a time of rather great living in one respect. The natives of the Hawaiian islands were physically isolated from the rest of the world and generally in good health.
Then along came Captain Cook, the famed British explorer sent to the Hawaiian islands to colonize them in the late 1700s, as was usual back then. Unfortunately, the diseases he and his crew brought with them had devastating effects on the native population, which serves as a cautionary tale for the impact of external forces on isolated environments. 62 years after his first arrival, the population of Hawaii had dropped approximately 84% due to diseases he and other colonists brought to the Island.
Ok, we now understand this, and in time we have figured out ways to take control of such situations (or so we hope). There is a lesson here, to be sure. You can be pretty healthy and seemingly resilient in your closed-off environment for a long time. Once you start interacting with others outside of your pleasant, clean, healthy environment, things can go sideways pretty quickly.
So where am I going with this? Well, recently, there was an article in VentureBeat titled “Uber breach shows third-party vendors are the weakest link”, which discussed a recent breach where attackers gained access to the database of a third party vendor associated with Uber and “and leaked the account information and PII of around 77,000 Uber employees on a hacker forum.” The attackers gained access to an AWS server where the information was stored.
Now, this is rather interesting because while Uber may be doing all it can to secure its own networks, the many third-party organizations that Uber interacts with may not be doing so well addressing cybersecurity issues, leaving them vulnerable to cyber threats and data breaches. So an attacker may have a difficult time infecting the organization directly, but if they sail in through the third party ship, then things change.
As the article states, “Vendors and other third parties are often granted the same access as employees, but with fewer security measures, making them a weak link and therefore a popular target for threat actors.” While it is evident that an organization has to perform due diligence on a third party associate to prevent digital diseases from infecting their networks, simply relying on their word may not be enough.
To the extent allowable by law, an organization that must protect its critical assets and personally identifiable information (PII) needs to proactively do what it can to determine if the third-party vendor, at a minimum, has any vulnerable systems that are exposed to the internet, which could be an indicator that the third party vendor is at risk of being breached. In the worse case, they may have already been compromised. Once this determination is made, the third-party vendor can be informed that the risk exists and be “firmly and politely” asked to resolve the discovered vulnerability.
Modern labor forces simply don’t wish to and will not work in an environment where connectivity is not an option. We all know that by now. We are no longer living in a world where any network can survive in isolation for very long, regardless of how critical the systems are. Cybersecurity threats are pervasive, but keeping your organization from catching digital diseases is achievable by taking more proactive measures.