There is a well
known threat that has been talked about with the Board of Directors
behind closed doors for years. This threat is not new to most
Operational Risk Management (ORM) professionals and yet executive
management is still in denial that it could happen to us. Have you or
someone in your C-Suite ever awakened one morning and wondered how the
companies new plans for a merger are now in the published press? What
about that new research and development breakthrough that ends up with
another company with a similar process being patented a week or a month
ahead of you?
What
is the threat? Call it competitive intelligence, economic espionage,
press leaks, loose lips or advanced persistent threat (APT), it does not
really matter. The threat remains from all those people, rivals,
industry peers, countries, states, allies and enemies that are working
24 x 7 x 365 to copy your valuable information and use it for their own
advantage. What advantage depends on who obtains the valuable
information and how they will eventually use it or sell it.
What
is even more fascinating to most subject matter experts, is the amount
of information that is still created and allowed to be compromised in
some way that is false, fake and designed to confuse the adversary. So
what is it, that much of executive management still does not understand
about all of this?
The
"source" of the vulnerability that is leaking or allowing the secret or
confidential information to be compromised. They still to this day are
naive to the potential source. This source is not even inside their own
company or organization in many cases. It is within the organizations
data supply chain somewhere, but where is it exactly?
The
answer is only possible to narrow down, if you absolutely know where
your data and secret or confidential information is collected,
transported and stored, in the hands of trusted third parties, outside
the four walls of your business. That is the remedial first step.
Creating a definitive map of who has custody of your data through some
kind of third party agreement. The agreement could be with any number of
key business partners in your data supply chain:
- Banker
- Venture Capitalist
- Accountant
- Attorney
- Insurer
- Internet Service Provider
- Utility
- Data Telecom Provider
- Wireless Telecom Provider
- Payments Processor
- Document Custodian or Shredder
Even
more important may be the question of which one of your data supply
chain business partners, has the least amount of resources, people and
state-of-the-art detection systems for the APT, Zeus, and other
mechanisms that are ex-filtrating your data to another country. When was
the last time you asked any of your business partners to walk you into
their IT department for a look around with your CIO or CTO?
Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.
You
see, just because your organization has spent millions or billions on
new data centers with the most sophisticated technologies available to
counter your cyber adversaries, how can you be sure that your business
data supply chain has done the same? There is only one way to do that
and it is in person and on site. You may consider this level of due
diligence before handing over your business for the merger and
acquisition project or the development of a vital new component for your
new patented product. A model "Request for Information" (RFI) on the
business partners controls and capabilities for securing your sensitive,
confidential and secret information shall be a first step requirement.
The
second step shall be to get an inventory of what systems your data
supply chain partner has in place to mitigate the risk of a data breach.
At the top of that list, should be the management system that governs
all the other hardware and software systems. So even if your business
partner says they are using RSA NetWitness or ScoutVision on their corporate networks
and Good MDM for their mobile devices, that is not going to be enough. More from Europol:
The
overarching "Management System" is not about technology. It is not
about your favorite eDiscovery or computer forensics guru. It is about
the way your business partner trains and educates it's people. It is
about how those people use relevant business controls to secure your
secrets, confidential data and records. Look at their behavior around
this topic of "Achieving A Defensible Standard of Care" and you will
soon discover whether you have found the most ideal banker, accountant
or attorney to entrust to your digital supply chain.A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.