September 4, 2019
When we recently examined changes in Oregon cybersecurity compliance rules, we noted that the state is recognizing a problematic cybersecurity reality with enterprises, namely that business partners bring with them a massive amount of security risk. Oregon officials, whose efforts will likely be replicated by other states, are putting the onus on those various kinds of business partners to alert the enterprise to an issue.
As well meaning as this change is, it could markedly complicate enterprise compliance efforts, as CISO teams struggle to figure out which partner reports (there will be a huge number of them) need to be investigated.
From the new Oregon law: "A vendor that discovers a breach of security or has reason to believe that a breach of security has occurred shall notify a covered entity with which the vendor has a contract as soon as is practicable but not later than 10 days after discovering the breach of security or having a reason to believe that the breach of security occurred. If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor shall notify the other vendor of a breach of security."
The impetus behind this requirement is critical. Security breaches or weaknesses within partner companies directly impact the sensitive date of the enterprise, given that partners have access (hopefully limited) to the enterprise's systems, for inventory data, supply chain logistics or accessing any sensitive operational data at all. If a partner is being given any VPN access into sensitive systems, it's a massive risk.
If the partner company is successfully attacked—including ever-popular social engineering attacks, to steal the partner's credentials—that directly and immediately impacts the enterprise data accessed by the partner. Much worse, it has the potential to allow the attacker to either steal the credentials to directly attack the enterprise or piggyback on the partner's legitimate connection and sniff that sensitive data.
So, from a pure risk perspective, forcing partner companies to immediately report any security breach to the enterprise makes sense. The problem is practicality. Fortune 1000 enterprises typically have a massive number of partners handling a wide range of tasks. How much discretion will those partners use? To be candid, how much discretion should they be permitted to use?
Even worse, consider that last sentence in the quote: "If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor shall notify the other vendor of a breach of security." That means that the list of companies having to report issues to the enterprise is not merely the already-lengthy list of partner companies. It's exponentially worse, as it includes all of the partner companies to all of those partner companies.
If all partners and partners-to-the-partners decide to interpret "a breach of security" in the most expansive way possible—which is almost certainly what those partner companies' corporate counsels will recommend—the additional workload on the enterprise will be immense.
Don't forget that a breach of security isn't necessarily limited to an actual successful penetration or social engineering that accessed some passwords. It's any place where security has broken down. If security cameras see an employee opening a locked door for a stranger, does that have to reported? It is, without question, a breach of security. What about a social engineering attack that successfully gains one employee's credentials? What if the employee realized the scam immediately but had already released the credentials? And what if that employee immediately reported it to IT, which instantly disabled that password? Yes, that's absolutely a security breach, but the exposure was halted before the attacker could gain access. (IT can easily see if the credential was used in the few minutes before the credential was disabled.) Does it make sense to report that to the enterprise?
If this tidal wave of new reports flows in to the enterprise's security team, how many additional resources will be needed to review them every day? Will it result in alert fatigue, causing real issues to be ignored?
It's critical for enterprise security and IT to work out precise protocols for breach reporting for all partners, tailoring the requirements for different partners with different levels of access. Some partners, in the opinion of the enterprise's IT and security teams, will have far better security and that should factor into their breach reporting protocols.
Even if the enterprise doesn't operate anywhere where compliance requires this reporting, it's not a bad idea for enterprises to require it from partners anyway, as long as what merits reporting to the enterprise is spelled out with specificity (spelled out in detail).