A house of cards: securing digital connections across organisations

File sharing and messaging systems between organisations can become an open outlet for your data. How can you protect your digital pathways while collaborating?
Christian Wiediger

Every company relies on communications and interfaces with other organisations, whether that’s for professional services like legal services or consulting, or for the licensed software products which make up their internal infrastructure. Of course, we need these lines of communication open to effectively collaborate. But how secure is it really?

Whenever an organisation integrates a tool with a third-party, it immediately becomes reliant on how secure they are too. This could be as simple as opening up a file sharing platform for consultants to access on their work laptops so they can better collaborate with your internal teams.

When we open our environment, we implicitly trust the data and files which are on these platforms, while also exposing ourselves to risk. For example, opening a file share or messaging platform means you often have limited control on what information can or will be uploaded. Still, sending through malicious files isn’t usually a conscious decision. Malware may already be installed on your partner or vendor’s environment in a previous breach caused by lax security policies.

Taking this one step further, companies are often reliant on third parties managing their own identity and access management systems, creating a “federated” security environment. It’s critical for these systems to be effective and up to date including the removal of anyone who has left the company. Breaching these vendors in your software supply chain can lead an attacker directly into yours - finding old credentials and forgotten leavers are a free pass straight into your environment.

What can be done?

It’s too laborious a task for individual security analysts to keep track of all the data and access across your distributed environment. The only way to do this effectively is by automating security analytics and protective tasks using artificial intelligence. Until we have solutions like this available in the broader marketplace, it’s critical that we work closely with our partners and vendors. This means the chief information security officer (CISO) and security team should be involved in our sourcing and procurement discussions, working to mitigate any potential risks and ensuring there’s cohesion across security policies.

Otherwise there’s an opportunity for the wider industry to smooth over these interactions by adopting an objective “cyber hygiene” score, providing a level of trust across organisations as their counterparts have at least been set up in a secure manner. We can take inspiration from the Food and Beverage industry labelling practices, where ingredients, recommended dietary intakes and the traffic light system are being used as tools to inform decisions. Making these types of assessments over an internal infrastructure need to be automated as much as possible, otherwise the deployment at scale across industry can become manual and arduous.

These extra efforts might be seen as uncomfortable or inconvenient but they’re important to ensure that second order risks are being appropriately protected. These are the ones being used by threat actors every day to launch even more sophisticated attacks and end up making our infrastructures look like a ‘house of cards’.

A little pain now can avoid large-scale disruption and widespread business impact later caused by these silent insider attackers.

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in