When cyberattack NotPetya quickly made its rounds, one of its hardest-hit victims — shipping conglomerate A.P. Moller-Maersk — learned firsthand the threat of a supplier base.
Maersk Chief Technology and Information Officer Adam Banks spoke earlier this month at a cybersecurity conference, reflecting on that 2017 attack and noting that the company was "not unusually weak," and adding that this is a fact for many organizations that can, unfortunately, lead to a false sense of security. Oftentimes, an organization's weakest point doesn't exist within the organization at all. Rather, it comes in the form of how that organization connects to its customers, business partners and suppliers — all third parties over which an organization has no control.
So while a business can invest heavily in its own cybersecurity measures, vulnerabilities within a third-party vendor can fast become a supply chain-wide problem.
NotPetya was just one of the cyberattacks able to take advantage of that vulnerability, using an enterprise financial software company to infect that target's customers. It's a case that illustrates the risks third parties pose to businesses when enterprise apps open access to a firm's companywide network, according to Chief Information Officer and VP of Emerging Technologies Patrick Foxhoven at cloud security firm Zscaler.
This is precisely the threat Zscaler targets with its latest rollout, Zscaler B2B. The solution focuses on business-to-business (B2B) integrations — for instance, between a company and one of its vendors — to address and mitigate cybersecurity risks found within enterprise apps that connect those two firms.
When businesses adopt these apps, vendors and those suppliers' own devices are looped into a corporate network, Foxhoven explained to PYMNTS in a recent interview.
"This means that any malware lurking on those devices can be introduced to the network, and spread laterally across the entire environment. This is exactly how a well-known ransomware attack like NotPetya was able to take down Maersk's entire network for multiple days," he said.
Experience Over Security
Organizations aren't entirely unaware of this risk. After all, the more cloud-based and internet-connected enterprise apps in place, the wider the surface area is for a bad actor to attack.
"The challenge," explained Foxhoven, "is that they often have to choose between delivering a good user experience or having a strong security posture. Given that these are suppliers and customers, user experience tends to win out over security almost every time."
Today, it's common for organizations to wield SSL virtual private network (VPN) technologies to safeguard remote access to corporate networks from, say, a vendor sales representative or accounts receivable professional. Cybersecurity and IT experts agree that ease-of-use for end users is among the biggest advantages of SSL VPN technology. However, among its greatest weaknesses is a relatively low threshold when authenticating a user. A professional at a supplier may only need a username and password to log on to one of its customer's enterprise apps, which means that user subsequently gains access to the company network.
If that professional leaves the supplier, or compromises their login details, access to that app (and the company network) can easily occur when it shouldn't by individuals who shouldn't be able to log in.
While businesses are often aware of the security risks of their enterprise apps, Foxhoven said they're often not aware of alternatives to VPNs. He noted that Zscaler deploys technology that separates access to a single enterprise application from the company network entirely, and authenticates a user before enabling connectivity to an app. Visibility for that user is then limited to that single app, while clients can customize accessibility policies. Foxhoven explained that this prevents users from gaining access to a corporate network, and limits app accessibility only to authorized users — two features that would have stopped an attack like NotPetya, he said.
As organizations attempt to balance security with end-user experience, their IT teams are also struggling to balance the C-Suite's demand to accelerate digital transformation without compromising security. Foxhoven argued that IT professionals will stumble if they continue to rely on SSL VPNs.
However, the juggling act is a complex one: Security experts must manage the surging number of enterprise apps being deployed today, some of which are operating in hybrid cloud environments. They must keep track of which users have access to which apps (even those users who might have left a supplier and, therefore, should no longer have access), as well as all of the devices through which those users will connect into that app.
Unsurprisingly, this will become "increasingly difficult" as organizations' digitization journeys mature, said Foxhoven, pointing to the emergence of 5G technology as one example of forces driving businesses to migrate more of their operations to the cloud, and connect more of their devices to the internet.
"Bad actors will prey on this sudden attack-surface sprawl, and leverage effective ways to obtain network access to use malware and harm companies," he said. "With digital transformation taking place, the ability to bring security to the edge ... and scale it ... effectively is critical."