Breach Inheritance: A cyber breach you inherit through a third-party supplier or partner relationship.
The recent news of (yet another) cyber breach, this time affecting British Columbia's healthcare workers through a third-party supplier, made me want to share three useful tips to help reduce your exposure and impact of a future breach you will (eventually) inherit:
1. Understand Your Exposure
Breach inheritance is going to come in one or two forms: breach of data and/or exploitation of trust (unauthorized access, credential compromise or dependency integrity). Your exposure will depend on the third-party services being consumed. Understanding what data is collected/stored, any connectivity requirements and other system dependencies is important to threat model your exposure and treating the risk appropriately.
2. Don't Trust, Verify
Being interconnected with partners and suppliers is somewhat of an inevitability in this day and age. SOC2 has become the de facto business-to-business IT services certification of "assurance", but to be abundantly clear, SOC2 is not an attestation of a supplier's ability to spell security, let alone be secure. For your most critical third-parties, it is prudent to go beyond the "do you have SOC2 Type 2" questioning and dig deeper into what controls are in place to prevent breaches and when they do occur, detection and responsive capabilities to limit the blast radius. Opacity to your questions should be a red flag of tech debt and a future breach ahead.
3. Be Prepared
Breaches are an inevitability, and as a lifelong blue teamer it pains me to say this, but we need to move away from thinking we can buy our way out of being breached. Sorry sales people! Instead, we must assume a bad day will happen and be investing in processes and procedures that can reduce the blast radius. In the world of third-party suppliers this means knowing/practicing how to remove access (hint, it isn't just changing passwords), safely breaking dependencies with impacted assets and of course having a communication plan to the affected and potentially other external stakeholders such as regulators or privacy commissioners.