TBR Event Perspective - SecureWorld 2014 Boston


Published on

Opportunities evolving from cyber supply chain security concerns

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

TBR Event Perspective - SecureWorld 2014 Boston

  1. 1. TBRT ECH N O LO G Y B U SIN ESS RESEARCH , IN C. TBR EVENT PERSPECTIVE Opportunities evolving from cyber supply chain security concerns SecureWorld Boston, March 25–26, 2014 Author: Jane Wright (jane.wright@tbri.com), Senior Analyst and Engagement Manager TBR Perspective Just a few years ago, security breaches were typically enabled by vulnerabilities in the breached organization’s IT infrastructure. Today, however, many security breaches are the consequence of vulnerabilities in the IT infrastructures of the affected organization’s business partners, including the wholesalers, retailers, payment processors and other partners in the organization’s cyber supply chain. This has led to heightened expectations for strong security controls at cyber supply chain partner organizations, a primary topic of discussion at the SecureWorld Boston 2014 conference. Increased focus on cyber supply chain security has altered the way organizations evaluate security solutions and justify security expenditures. It has impacted the way security vendors and service providers engage with customers, placed more demands on cloud service providers and created opportunities for auditors and cyber insurance companies. Cybercriminals traverse supply chain partners’ infrastructures to reach their targets Depending on the industry, an organization may have hundreds or even thousands of cyber supply chain partners sending and receiving electronic data such as invoices, catalogs and customer lists. The organization may need to grant business partners a level of access to its network and applications to operate efficiently. This creates a cyber supply chain that is critical for organizations to compete in today’s business climate. Recent breaches demonstrate that an organization may be only as secure as the weakest link in its cyber supply chain. For example, cyberattackers brought down The New York Times website for two days in 2013 by attacking the Times’ DNS provider. Another example is the recent breach against the retail corporation Target Corp., which was initiated when hackers stole credentials from the retailer’s heating and air conditioning provider.
  2. 2. www.tbri.com TBR These examples underscore the patience of attackers who take a circuitous route to infiltrate their ultimate target. Along the way, they drop payloads, steal credentials or set up command and control sites in the partners’ infrastructures until the attackers eventually reach their target and shut down business processes, steal valuable data and cause other damage. According to the Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute and sponsored by Symantec, the average cost of a typical data breach in the U.S. was more than $5 million in 2013. To minimize the risk of such losses, organizations require their cyber supply chain business partners provide detailed security reports on penetration testing, change management and incident forensics or document their adherence to frameworks from the National Institute of Standards and Technology (NIST) or SANS Institute, or other security frameworks. Cyber supply chain risk is familiar to organizations that must comply with regulations such as HIPAA, where “business associates” must follow certain rules and provide satisfactory assurances. But increased awareness of attacks on supply chain partners as attackers attempt to damage or steal from their intended targets has heightened cyber supply chain security concerns at organizations in all industries, including nonregulated industries. Cyber supply chain concerns impact users, vendors, service providers and other firms Since security attacks can travel along cyber supply chains, many organizations find they must demonstrate their security qualifications to earn the right to be in a supply chain and do business with their partners and customers. Partners and customers are demanding proof that organizations are proficient at deflecting attacks, detecting insider threats and closing vulnerabilities. In this way, security is tied more closely than ever to the organization’s business goals. As a result, chief information security officers (CISOs) are adding a new criterion to their security purchasing decisions: the ability of the product or service to help demonstrate the organization’s security strength to its customers. Security vendors can help CISOs by ensuring that their solutions produce clear and concise security reports that can be attached to the organization’s business proposals. Professional security service providers are called on to help organizations pass security audits or adhere to security frameworks, documenting the results in a format that can be shared with partners and customers. From a security perspective, cloud service providers are an important partner in an organization’s cyber supply chain. Even if an organization chooses not to use cloud services, it is likely that one of its cyber supply chain partners does, and thus a portion of the organization’s data will spend time in a cloud provider’s platform. Cloud service providers are focusing on security along with other factors, such as availability and ease of implementation, to ensure that an attack impacting their platform does not ripple to their customers and their customers’ cyber supply chain partners. The insurance industry has also been affected by the increased focus on cyber supply chain security. Most general liability policies will not cover incidents such as denial-of-service (DoS) attacks, so organizations are turning to cyber insurance companies to write new policies that cover many different forms of attacks. The policies may be written to protect the covered organization as the first party as well as cyber supply chain partner organizations as additional parties in the incident.
  3. 3. www.tbri.com TBR Conclusion According to a number of presentations at SecureWorld Boston 2014, attacks that navigate through cyber supply chains have increased requirements for organizations to demonstrate security maturity to their cyber supply chain partners. This has contributed to the changing view of security within the organization from overhead (a necessary expense to protect the organization’s investments) to a business benefit that can be promoted to help drive revenue. Now when organizations set their competitive strategy around a differentiator, such as lowest price or highest quality, they may strive to add “most secure” to their list of strengths. Security vendors and service providers that offer products or services that help organizations quickly and easily document their security posture will be best positioned to support organizations in the increasingly connected business environment. Technology Business Research, Inc. is a leading independent technology market research and consulting firm specializing in the business and financial analyses of hardware, software, professional services, telecom and enterprise network vendors, and operators. Serving a global clientele, TBR provides timely and actionable market research and business intelligence in formats that are tailored to clients’ needs. Our analysts are available to further address client-specific issues or information needs on an inquiry or proprietary consulting basis. TBR has been empowering corporate decision makers since 1996. For more information please visit www.tbri.com. ©2014 Technology Business Research Inc. This report is based on information made available to the public by the vendor and other public sources. No representation is made that this information is accurate or complete. Technology Business Research will not be held liable or responsible for any decisions that are made based on this information. The information contained in this report and all other TBR products is not and should not be construed to be investment advice. TBR does not make any recommendations or provide any advice regarding the value, purchase, sale or retention of securities. This report is copyright-protected and supplied for the sole use of the recipient. Contact Technology Business Research, Inc. for permission to reproduce.