The Chinese Government is in the news again this week for targeting Australian businesses with a campaign of cyberattacks in an effort to steal intellectual property. Dubbed "Operation Cloud-Hopper", the highly trained and well-resourced state-sponsored hackers in the Ministry of State Security have been breaking into Australian businesses by first getting a foothold with cloud or IT service providers that the victims have outsourced to, then "hopping" across to the systems which are their true targets.
Australian police and intelligence officials complain that Australian companies have ignored repeated warnings to improve their cybersecurity to defend against criminals and nation-states, but this latest spate of attacks demonstrates that such threats are not so easily countered. While many Australian businesses are focused on defending against Internet based cyberattacks, few it seems, are paying much attention to the risks associated with third party access to their critical information and IT systems.
Third party access is an inescapable reality of the modern business environment. Whether it is trusting your data to cloud services like Dropbox, engaging an external service provider to manage your internal IT systems, or integrating with suppliers and sub-contractors, providing access to your company's IT systems for a third party puts those systems at risk, often in ways which are hard to quantify, and harder to mitigate. By their nature, these relationships facilitate privileged access to company information for the third parties in question, but perhaps as a quirk of Australian culture, local companies are often relying on little more than blind trust to protect themselves from that access being abused.
This practice of focusing so much attention on Internet defence while allowing third parties to regulate their own access to our most sensitive and critical systems is akin to fortifying the front door with steel bars, but leaving a key under the rear doormat for the handyman to get in while we're not home. How far can we trust the handyman not to interfere with our possessions while we aren't there, or not to make a copy of the key which can be sold to other criminals? Even if we do trust the handyman not to do anything malicious, can we be sure they will remember to lock the door when they leave?
The irony is that many Australian businesses, especially small businesses, are subjected to the heavy handed security demands of their customers and larger business partners. They are intimately familiar with being on the receiving end of the third party assurance process, yet they rarely consider implementing similar processes for themselves (unless perhaps, their customers have demanded it).
Providing third party access to company IT systems also raises difficult questions relating to liability. If a third party service provider is hacked, and your company suffers as a result, what recourse do you have - especially when the service provider might be a multinational corporation in a foreign legal jurisdiction? Your customers will most certainly hold you responsible if they are affected, perhaps even the Office of the Australian Information Commissioner if personally identifiable information is involved. There are more consequences to consider than just the possibility that your IP may end up in the hands of Chinese competitors.
When business requirements drive the need to provide third party access to IT systems, it is inherent that the business also trusts those third parties. However, trust on its own is ineffective as a security control or risk mitigation technique. It is essential that companies have mechanisms and processes in place to verify that the access they provide to third parties is used responsibly and securely. More than that, companies need the means to detect malicious activity from third parties, to measure the cybersecurity practices and capabilities of those partners, and to hold them accountable when those measurements come up short or an incident occurs.
Creating an effective third party assurance process in your business can be a complex and daunting task. It requires technical risk managers who can assess third parties and understand the potential impacts to your business, security engineers capable of designing and implementing effective security controls, and legal advisors that can both decipher the regulatory and contractual obligations of the business, and ensure that the business has its own contractual controls which are effective and enforceable. Small businesses in particular often find that they lack the skills and resources internally to create such a system, much less integrate it into their existing business practices.
If you are interested in finding out more about the Cyberlaw and security services we offer, please contact: