Over the past two years there has been mounting evidence of the Russians attacking the U.S. utility grid. Recently, the Wall Street Journal provided more specific details about the campaign revealing that hundreds of small contractors were attacked. While the techniques used were not novel, the campaign highlights an increasingly pervasive problem, as the Journal points out:
“The scheme’s success came less from its technical prowess—though the attackers did use some clever tactics—than in how it exploited trusted business relationships using impersonation and trickery.”
Attacks against an ecosystem, supply chain, or other business partnership create challenges that transcend the technical infrastructure in place – while some cybersecurity experts dispute the extent and level of success of this campaign, which continues today, the erosion of trust is difficult to dispute. Victim companies of the attacks have been identified both in this article and by the FBI as conduits for attacks, so any other company considering the services or products of these companies must evaluate their reputation as one element in its business decision.
Digital trust can have catastrophic consequences for organizations, especially those in highly competitive or commoditized industries. It is crucial for companies to recognize this trend and respond to it accordingly.
Any organization should consider these important points:
1. There is a reasonable chance your company will be compromised in the next three years. Our research suggests that approximately 30% of all companies are compromised over that period, though there is a significant variance in the volume of incidents.
2. All companies are vulnerable. Using the old excuse that there is nothing of value for attackers to steal breaks down when they are compromising an organization’s reputation and affecting its business partners.
3. Though these incidents are common, business partners, regulators, journalists, and the public take an extremely dim view of the victims of any breach, particularly if it affects external parties as in this case.
The strategy that wins in these cases is threefold:
1. Be proactive about security measures. Companies should be actively implementing user awareness training, multifactor authentication, encryption and other measures to protect against compromise.
2. Develop a resilient IT infrastructure and encourage business partners to do the same. Companies should constantly be looking for ways to minimize damage, through process and planning as well as technical measures like boundaries, isolation, and obfuscation.
3. Be transparent with partners before and after a breach. Compromises are common enough that they can be forgiven when appropriate measures are taken and explained beforehand, and details are shared afterwards. Nowadays, it is common for public companies to include warnings about breach prospects in their annual reports.
Digital trust is a crucial element to the health and survival of individual companies in an industry ecosystem. Recognizing its importance and actively addressing it is a foundational step towards success in today’s world of digital transformation.
Pete Lindstrom is Vice President of security research with IDC’s IT Executive Program (IEP). Learn more about what IDC’s IT Executive Program can do to help you lead your business by visiting idc.com/itexecutive.