With the recent news of BA facing a record fine of £183m for last year’s data breach, 1.5 per cent of its revenue, organisations need to consider how to avoid a similar fate.

It is believed that the way the hackers accessed the information of an estimated half a million people, according to the Information Commissioner’s Office (ICO), was through a vulnerability in third party JavaScript used on the website.

Third party failure is also widely accepted as the reason for the Ticketmaster data breach that occurred in 2018. So, as we can see, this kind of attack can have major financial consequences when it comes to infiltrating huge organisations. And of course, the damage to the brand and reputation.

BA may be surprised and disappointed by the recent decision, however, the real question is how can we prevent such an attack, and the resulting fine happening again when organisations rely on third party vendors?

A recent Freedom of Information request to the Financial Conduct Authority (FCA) revealed that between January 2018 and December 2018 there were 174 third party failures for businesses in the UK.

The figure has already soared to 79 between January 2019 to May 2019, with some also suggesting that under reporting of issues still makes these figures inaccurate.

BA may have acted quickly when the breach came to light, but unfortunately the ICO doesn’t care how quickly you react. The regulation is in place so customers can safely enter credit card details and personal information on a site or app and not have a malicious JavaScript code potentially harvest their sensitive data.

One of the points of introducing GDPR was so that businesses act proactively regarding cyber security, creating a way to suppress third party attacks, but unfortunately the frequency of these has not stalled.

There are tremendous benefits to be gained from embracing supply chain methods for your organisation and customers. Today’s competitive business environment demands it. But strong governance is a must when it comes to sourcing and using third parties.

Some of the way’s practitioners have advised defending against third party attacks comes in the form of credit card processing, cloud storage, document management software and single sign-on solutions.

Evaluating the security and privacy policies of all third-party suppliers, means the likelihood of a breach falls dramatically. Once you understand all the vendors and which of them have access to sensitive data, a variety of tools are available to help assess the level of their security.

Uleska has been able to defend against third party failures by orchestrating security tools to check all third party code, even if changes have been made to it. This means that all third party vendors can sell with confidence to major clients knowing that their code is continuously being checked, and the relevant people are being notified about any new, or existing, vulnerabilities.  

This method has allowed us to continually secure from third party attacks in an efficient manner, conducive with reducing the number of serious data breaches that can affect some of the world’s top organisations.

Understanding where risks lie within your digital ecosystem, tailoring controls according to those risks, and collaborating with their third parties to remediate and mitigate those risks could be just one of the many ways that your organisation combats third party failures.

For further information on third party attacks and failures you can join us at the next Uleska webinar, which will be covering the topic in more depth. Contact info@uleska.com for full details of the registration process.

Infosecurity Europe 2019, held in the Olympia, London, is a leading event in the cyber security calendar bringing business, tech and communities together. Uleska CEO and founder Gary Robinson was a speaker at the event, addressing two prevalent cyber issues, whilst Uleska exhibited to a plethora of cyber practitioners. Here are just some of the key trends Uleska noticed throughout the event.

Automation and orchestration continues to be a trend that is driving the wider cyber security industry. On the security operations side, Security Orchestration, Automation, and Response (SOAR) is gaining a firm foothold in the organisation’s mindsets.

In contrast to the software security side, Application Security Testing and Orchestration (ASTO) is a few years behind SOAR, yet the success of SOAR is helping organisations’ see the value of ASTO.

Numerous visitors to the Uleska booth were attracted by an independent (i.e. non-tool vendor) view of the coverage provided by combinations of technical tooling against their security standards and regulations they need to meet. 

Many security tool vendors will have marketing departments which promise to cover every technical issue, yet the industry realises this is not the case.  While organisations accept that no one tool will fix everything, they are finding it hard to get independent advice as to what tool coverage they do need.

Chief Risk Officers (CROs) have to deal with a lot of data. Cyber security has fought for years to get onto both the board and risk agendas and is now a firmly placed issue that must be addressed.

However, CROs have many aspects to consider. From finance, human resources, natural disasters, and geopolitics, with cyber security being one more issue to be addressed on that list.

Yet within each aspect, there are many subplots, such as for cyber, ransomware, viruses, network security, infrastructure security, application security, and more.

As previously mentioned, this means that each element the CRO has to manage, measure, and report on has to be succinct – the best case being one number of stats that shows the current state, impact, and whether things are getting better or worse. 

Application security has historically been awful at this, throwing thousands of technical issues and high/medium/lows to describe the current state, which is simply not consumable for a CRO.

Cyber value-at-risk, culminating in a single monetary risk number that changes with the real risk in the software estate, provides such a measure that CROs can work with.

Many organisations are interested in maturing to a ‘standards-based approach’ to security testing, instead of a ‘tools based approach’. 

This means they are looking at the standards and regulations they need to adhere to, and asking “Which tools and processes can be combined to provide as much coverage of these as possible?”. 

This is a much more comprehensive approach than previous doctrine which started with using one or two tools or processes, allowing them to find issues towards the end of a project, fixing those issues, and then assuming all standards and regulations were covered.

All /processes were aligned to the standards and regulations. this without doing any analysis of how those tools. This has led to blind spots in their technical programs which led to breaches.