In terms of business risks, data breaches and cyber-crime in general are quickly marching up the list of priorities for companies around the world.
For businesses at the enterprise level, this concern is manifesting itself in the increasing pressure they are forcing on their suppliers to prove they are practicing due diligence when it comes to keeping their systems safe.
This proposition can pose a significant challenge for many supply chain partners. CTOs, for example, may be asked to submit an outline of the cyber security practices their company has in place before a partnership is finalised. The companies whose security approaches are deemed too risky may find themselves being passed on for partnerships, as enterprises seek to keep their supply chains strong.
Whether it is in recruitment, accountancy, law or catering supplies, the trusted relationship in the supply chain is now under threat, with failure to demonstrate accountability, compliance and effective reporting a key factor in decisions about who does business with whom.
The usual layers of security no longer cut it and with the EU General Data Protection Regulation coming into effect in just over 18 months’ time, organisations need to start putting their respective houses in order. This means measurable and reportable intelligence about not only their own, but also their partners’ and suppliers’ cyber security practices.
Innovation, implementation of policy and a strong and sustained focus on the critical and most vulnerable areas of security are key to staying one step ahead of the attacker. The question is, do enough businesses understand the nature of the threats and what is required to defeat them? Are they able to provide demonstrable reporting to the satisfaction of their legal department when completing supplier cyber security questionnaires?
The danger of complacency
Despite the number of high-profile and damaging data leaks that occurred around the globe last year, many businesses are still complacent about security. For many, security is still a matter of out-dated perimeter security that completely ignores the area where most danger now lies – in file-based malware attacks delivered in email attachments. These attacks using common file-types such as Word, Excel, PDF or PowerPoint now account for 74 per cent of successful data breaches.
Perhaps businesses will sit up and take notice after one of the companies hit last year – Talk Talk – was back in the news this month (October), fined £400,000 for allowing the details of nearly 157,000 customers to be stolen by hackers.
For any business with supply chain partners, it is no longer good enough to claim that targeted attacks cannot be prevented and to assert that post-infection detection and response with anti-virus software is solely the answer.
Technology that works
Among enterprises at the top of the supply chain, it is increasingly understood that the only effective solution that will provide impregnability against this deliberate corruption of email-bound documents lies in file-regeneration technology.
An automated solution utilising this capability disarms malicious files, producing a benign version referenced against the manufacturer’s original standard, checking it right down to byte level instead of just looking for active content in the body of the document. A sanitised file is regenerated at sub-second speeds and passed on to users in real-time to maintain business continuity.
The technology protects organisations against even the smallest and most subtle alterations in file structure, detecting for example, where criminals have changed just two bytes in a PDF file to crash the reader software in order to trigger malware or hidden exploits. This type of attack is simply not visible, or stoppable, without such document regeneration software.
This a technology that also sanitises outbound emails, using the same techniques to ensure that no business is ever held responsible for the potentially catastrophic consequences of infecting a supply chain partner or client. Reliance on encryption and digital signature-based security may reduce some of the risk from third-party interception, but it will not prevent an organisation from unwittingly delivering an infected file, since hackers are now adept at using delayed-action embedded code or structural manipulation, in combination with clever use of social engineering.
Fit to do business with
Besides eliminating known and evolving threats, one of the great benefits of file-regeneration is that it puts organisations back in control, deciding who should receive specific file content as part of a broader security and risk management strategy. Crucially, it also provides supply chain partners with the evidence that their organisation has adopted the solution that is known to be effective against file-based threats – by far the most common origin of cyber-attacks.
The overall outcome is that organisations can send and receive emailed documents, transfer files or share and access cloud file stores with and from customers, partners and suppliers in full confidence and in turn are regarded as safe to do business with.
It is clear that only the kind of genuine innovation to be found in file-regeneration solutions will give organisations this watertight and demonstrable level of security. In the face of so many emerging threats it is vital that the CTOs and CISOs throughout the supply chain recognise this important fact in the ongoing battle against cyber-crime.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.