This week: Third party risk management is no longer where the party is at; Hacking systems usually means hacking humans, especially those in your IT support team; The insanity of password rules, according to Michael McIntyre.
3 – Third Party Risk is soooo yesterday
“While third-party risk is a common term in regulated sectors, it might make more sense to talk of overall supply chain risk. [..] Risk can come from fourth parties and others further down the supply chain.”
This is according to a senior executive… in a company that sells supply chain risk software! But just because the message suits their solution, it doesn’t mean the message is wrong.
At a recent TEISS Breakfast Briefing, attendees discussed the value and challenge of managing risk the whole way through an organisation’s supply chain. “Those at the briefing suggested that strong contracts are more effective than questionnaires in ensuring that suppliers take cyber-security seriously”. (I bet many of them were lawyers.) “[Many] also discussed the need to classify suppliers based their importance to your operations. Tier 1 suppliers, those who could potentially cripple your business if breached, should receive the most rigorous monitoring and assessment.”
Key takeaway: Vendor management / Supply chain risk management is an excellent way to burn time trying to boil the ocean. It is important to continually find ways to slice up the elephant, so you are always focusing on the next-most critical risks and next-most critical suppliers. (And if I could have found a way to get more idioms into this section, I would have.)
2 – ‘Good work’ should not mean ‘fast work’
“[When I’m asked to try to hack an organisation], the first teams I go after are the folks who deal with requests from people constantly — IT, Help Desk, Customer Support, etc., I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks [because] they work fast.”
This is according to Rachel Tobac, the CEO of SocialProof Security, in a recent LinkedIn post (and shared on LinkedIn by John Haren). Rachel is frequently engaged by organisations to try to hack their systems. And she does this by hacking the humans.
As she says in her post, “most folks at work want to do a good job and often times ‘good work’ means ‘fast work’. We can’t expect every employee to be able to come up with their own identity verification protocols on the fly — it’s our job to provide the right human protocols to catch this fast.”
Key takeaway: Your staff training programmes need to include a focus on the people who control access to your systems, and your processes need to include verification steps so these people can confirm that the caller is genuine. And you need to ensure any third parties who also control access to your systems (e.g. your IT MSP) are doing the same. Why does this matter? Because apparently, MGM Resorts, a $34 billion company, was hacked by a 10-minute phone conversation.
1 – The evolution of passwords, by Michael McIntyre
“At the beginning, we all had one password, and we used it for everything. [..] And then, companies started getting quite rude. You would put your password in and it would go ‘weak’. Who are you to judge my special word?”
This is from an excellent comedy sketch by Michael McIntyre on the insanity of password rules, shared on LinkedIn by Alex Sverdl via Oz Oscroft. (PS Did you know Michael is Britain’s most famous and 12th most popular comedian in Q2 2023 and his show “Michael McIntyre: Showman” is available on Netflix?).
Key takeaway: If you are still forcing people to include upper and lower case letters, numbers, and special characters in their passwords, you need to move on. Take a look at pass phrases, Multi-Factor Authentication, and Passwordless options, so when your staff see videos like this in the future, they don’t immediately think of you.