Monday, July 18, 2011

Dear Utility CEO: Would your Company's Services Providers withstand these Attacks?

Which attacks? The ones that recently (and very successfully) targeted the Department of Defense extracting what is admitted to be tens of thousands of files worth of sensitive data.

No this isn't Wikileaks. Bradley Manning is safely behind bars and the stolen info wasn't secreted away on CDs. You might want to think that Defense contractor systems are protected by super-strength security technologies, much more than you can afford, but in many cases you'd be wrong.

The strategies described in this FastCompany article from a couple days ago are relatively pedestrian (by today's standards), and they worked against the DoD by targeting some of its services and integration companies. To defend against attacks of this type, you would want to ensure that your providers had good corporate security policies established, kept current, enforced, and regularly audited. You would want to make sure that your own policies and controls were solid, and that your sourcing documents required your suppliers' policies were as good or better if they wanted your business.

Dark Reading has a story this month on supply chain threats that goes much deeper than what I have room for here. Here are five recommended questions you're recommended to ask your suppliers:
  1. What processes and technology do you have in place to detect security breaches and rogue employees? 
  2. Do you regularly validate your security measures and can you demonstrate your compliance?
  3. What contractual obligation do you have to protect my company’s data?
  4. What’s the minimum amount of access to my network and data that you need to do your job?
  5. For cloud service providers, what measures can my company take, such as encryption, to protect my data?
Another thing you'd want to do: make sure database security controls are deployed  (in your utility as well as in your suppliers) so that while a few documents might be lost in a successful attack, it wouldn't quickly escalate to hundreds or thousands.

Oh yeah, and one final change you can make to help: make sure everyone has their first cup of coffee NLT 6:30 am local. (If you read the FastCompany piece you'll see what I mean).

Photo credit: modomatic on

No comments: