Trusted third party?
Our digital environments are becoming increasingly complex, and are on the critical path of our businesses. They are constantly evolving at every level: regulatory, typology of cyberthreats, risks associated with emerging technologies, constant pressures due to the increasingly rapid evolution of markets.
Against this backdrop, many companies are calling on ‘third parties’ to provide IT services, integrating them into their processing chains, often sharing infrastructure and data.
A large company can easily work with more than 100 service providers or suppliers, such as ESNs. The latter are privileged partners, solicited for consulting services, IT solutions, development and engineering, and the sharing of information to be protected is therefore significant. It becomes difficult to control such an ecosystem, especially if security has not been taken into account from the outset of the relationship (almost like the contractual “Security By Design” that we hear so much about).
These can be an extension of the customer network. Security Assurance Plans make perfect sense in this type of relationship. There are also more traditional forms, in SAAS mode for example, through applications (top layer of the OSI model), where the risks are more likely to come from rights, identities and access.
Whatever the type of relationship with a third party, there is usually a history to make up for, a trust to build or regain…
The rebound attack, the weak link in the chain
The cyber attacker will then choose to “bounce back” through a company partner/supplier of the target, which is often smaller in size and whose security is more fallible. He does not attack his target directly but is rather interested in his ecosystem of partners (suppliers, subcontractors, service providers, etc.), to exploit any security flaws and thus infiltrate it.
Using this technique also allows the attacker to take advantage not only of existing vulnerabilities to make the service provider an accomplice victim, but also to more easily conceal his identity from the targeted company.
We remember, in 2020, the SolarWinds[1] case, a supplier of computer network management and monitoring solutions, where spyware hidden at the heart of the tool has spread to all customers, with the ravages that we know. Or the attacks that affected AIRBUS in 2019. The origin of the incident was in unauthorized access to data by one or more individuals who posed as a subcontractor of the aircraft manufacturer. This type of risk was and is currently exploding.
This type of risk was and is currently exploding.
[1] Source: SolarWinds: what we know about the cyberattack massive impact that notably affects Microsoft and US federal agencies (francetvinfo.fr)
So who is responsible?Who bears the risks?
In the event of a cyber attack on an end-customer by a rebound attack, with often disastrous consequences in economic, financial and image terms, the question of liability may arise. The “historic” contracts between the parties rarely mention this? This often leads to legal battles, which are best avoided by dealing with the issue in advance.
How can we deal with this issue upstream?
At the last FIC (International Cybersecurity Forum), feedback from a major insurance company showed the complexity of implementing a catch-up operation in terms of contractualisation, and enabled the associated costs to be sized: audits of third parties, assessment of their maturity in terms of security, assessment of the associated risks in terms of the relationship before considering consolidation projects if necessary.
And, as is often the case, when it comes to complying with a client company’s security requirements, third parties have to release budgets that were not originally planned… even though security is sometimes still struggling to escape being seen as a cost centre by Boards and other COMEXs (until a cyber-attack…)!
The response from state bodies
Apart from the pressure that companies can bring to bear on their third-party suppliers, which could jeopardise the continuity of their contracts, the French and European governments are working on a number of support measures to force them to take action on these issues.
As if in response to this difficulty in budgetary negotiation, in the same way that a 49.3 makes a lot of noise… regulatory obligations are arriving or are already being applied, and will entail financial penalties if they are not complied with.
What is involved? Broadly speaking, companies are required to map all their data processing activities and to identify precisely the ecosystem of suppliers, subcontractors and other service providers with access to their information systems.
PAMS
The actions undertaken by the French government also include the work of the ANSSI, which is formalising a white list of secure administration and maintenance service providers, or PAMS, “in both the traditional IT and industrial sectors”. This standard will provide clients with guarantees in terms of security and the trust they can place in their service providers, with an assessment of the quality of the outsourcing services on offer. This standard may be required by companies from their suppliers. Version 1.0 is available here (https://www.ssi.gouv.fr/actualite/securite-et-infogerance-du-nouveau-pour-le-futur-referentiel-pams-de-lanssi/)
Cybersecurity Act
This approach is a direct response to the European Cybersecurity Act, which will shortly come into force. This will provide the framework for a certification procedure dedicated to cybersecurity solutions, valid in all European Union Member States, with the aim of obtaining a security score, like our good Nutri-Score on food. We’ll see what impact it has… Even at E, we’re still eating the famous chocolate spread 😉.
NIS2, Network and Information Security
Among other subjects, NIS2 (Network and Information Security, the European Union’s cybersecurity legislative text) is making its appearance, correcting the shortcomings of its predecessor, the aptly named NIS1. As well as extending security requirements to many service companies other than OSEs[1] and FSNs[2], NIS2 improves the consideration and management of supply chain security, and the monitoring and auditing of third parties. Failure to comply with these directives could result in fines of up to €10 million or 2.5% of turnover. Enough to give any COMEX or CFO pause for thought, and help free up budgets for compliance…
NIS2 must come into force by September 2024 at the latest.
[1] ESO: Essential Service Operators
[2] DSF: Digital Service Providers
In conclusion, thinking ahead to avoid
As we all know, the aim is to avoid cyber attacks by rebound: For customers, to gain a better understanding of the various interactions with suppliers and identify risks and responsibilities; for subcontractors, to meet new security requirements in terms of data processing (RGPD, etc.), to benefit from a framework of security management guarantees (organisational and technical measures, Security Assurance Plan, impact analysis, Cyberinsurance, contracts, etc.), and to be identified as a trusted third party by the customer, and no longer as a stranger…