“It has gotten to the point, unfortunately, where they are so frequent and common these days, that it’s like, here we go again,” Christopher Sitter says when I asked him about the prospect of a third-party data breach.

Sitter is the senior director of information security at Juniper Networks. He manages all things incident response-related — cyber forensics, electronic discovery, data loss prevention, governance, privacy and security operations. Sitter is no stranger to managing third-party software risk. Attackers have targeted suppliers for years, although according to Sitter, the recent uptick in headline-grabbing breaches has shifted executive and board-level conversations. Instead of cybersecurity leaders reaching out to executives with the hopes of gaining more budget for their programs, executives are now reaching out to security leaders, inquiring if their IT teams are using the latest compromised third-party software.

I spoke with Sitter about the shift in executive focus and the overall increase in the likelihood of a third-party data breach.

Register for the webinar

Executives See The Perils of a Third-Party Data Breach

Question: Your point about how executives are now coming to security leaders versus the other way around is interesting. Can you elaborate on the types of conversations you are having?

Answer: While third-party software breaches are nothing new, the recent uptick has grabbed the public’s attention, which includes executives and board members, because they are feeling the impact. Every time a new breach makes headlines, I receive calls from my family and friends asking if they were affected.

The same goes for executives. Whereas in the past, they may not have always prioritized security compared to other risks, now, every time a third-party software breach occurs, I get a phone call or email from an executive asking if the company is impacted, by how much and what we are doing to reduce the risk of reputational and financial damage. I cherish the outreach because I would rather have engaged executives than otherwise.

When a new third-party software breach happens, what does your day look like?

It’s no longer, “it’s time to wake up the executives.” It’s now, “the executives are waking us up.”

No one wants to see their name in lights. I wake up, log my kids on for remote learning, and then receive a call from an executive who saw on the news that a major company was impacted by a breach assumed to be executed by nation-state-sponsored actors. That puts everything on high alert. The executive wants to know if we were impacted and what’s our level of risk. That’s the first hour of my day when these breaches happen.

We then spend the next chunk of hours combing through the network, searching for any indicators of compromise (IoCs), identifying companies that have the most access to our sensitive data, connecting with them to see if they were affected, and sometimes helping them perform a forensics investigation to see if they were impacted. We use the opportunity to educate our executives and other suppliers.

Challenges With Securing Third-Party Software

Some organizations have hundreds of applications and platforms in their environment, most of which were developed by different vendors. What are the security challenges that come with using all of those assets?

The biggest one is trust. You have to think about how security is set up when you onboard third parties. Most companies throw spreadsheets over the fence to their suppliers and say, ‘please fill this out.’ Based on the supplier’s response, the company then determines how much risk it brings to the table.

The supplier may say it has a certificate that verifies it has security measures in place, although those processes and tools may only apply to a small component of their environment. Seldom does anyone perform an audit to verify the supplier’s responses. Companies are basically trusting the supplier’s word without seeing for themselves. The supplier is also filling out the spreadsheet with moment-in-time information. The environment and risk level can change by the time we receive it.

Plus, few companies provide transparent threat information. They allow you to see their policies and latest assessments, but you cannot actually go in and verify what they say is true. It’s a trust-based paradigm.

Knowing the trust-based paradigm isn’t changing any time soon, what can companies do to gain a better understanding of how their suppliers are securing their environment while also protecting their own environment?

First, it’s knowing what attackers would target. In most compromises, it’s usually the people who commonly interact outside the company who are targeted first, such as customer service and sales representatives. Attackers typically gain entry through those targets and then pivot to systems that contain sensitive data, such as email SaaS [software-as-a-service] platforms.

If someone can compromise an email platform where people don’t set up permissions correctly and share high-value content freely, it’s easy to move around freely and collect high-value information. Many companies lack the resources and skills to see everything that’s going on in those kinds of platforms. Yet, they contain a treasure trove of information and data.

You also need to understand the IoCs of third-party software attacks so you can look for behaviors that may indicate malicious activity. Outbound transmission, for example, should be monitored. You want to look for communications that are going somewhere they have never gone before. That’s the biggest red flag. An application that will change or elevate privilege is another one. Security controls typically include some type of behavior analytics that can help flag those kinds of unusual behaviors.

Another good action to take is to shut down things you don’t need — close down redundant solutions. The action may not be popular among your employees, but how often do they need access to their personal email platforms during the day? Should their personal tablets connect to the corporate email platform? Many companies leave those vectors open to please employees, but they are easy places for data to be exfiltrated.

We invite you to join a panel discussion with Sitter,  X-Force Red hackers and X-Force incident responders at 11 am EST, April 28, 2021, where we will chat more about the risk of a third-party data breach and other timely security topics. Register for the webinar here.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today