“Customers need to hold their cybersecurity vendors to a pretty high level of assurance in terms of their own internal security practices,” expert says.
Threat actors could be coming for your organization via third party vendors—a danger in a cybersecurity landscape where IT teams and budgets are often stretched, necessitating outside help.
RSA Security CEO Rohit Ghai sees backdoor attacks on vendors as a major concern, he said, likening it to healthcare workers taking appropriate hygiene precautions.
“The world may not be security first, but the cybersecurity vendors better be. The doctors better be washing their hands,” Ghai said.
By going after the back door, Ghai explained, attackers are breaching the “alarm system” of an organization, somewhere entry is less likely to be detected.
Vend on. But IT teams are not an easy get, at least not compared to the potential infiltration hackers can achieve by attacking vendors, which can service multiple organizations. Plus, attackers can use disruption tactics to undo faith in cybersecurity as a whole.
“Fear is a weird kind of emotion, and these guys prey on people’s fear, confusion, and all of that, so by targeting cybersecurity vendors and breaching them, they’re actually eroding confidence in the cyber industry at large,” Ghai said.
Cybersecurity vendor funding has declined in recent months. It was reported back in April that some industry businesses are seeing a precipitous drop in investment—mostly the ones that are trying to overpromise on what they can deliver.
“In 2021 and 2022, we saw an unbelievable amount of funding to the tune of tens of billions of dollars going into cybersecurity vendors; it was almost like a fad,” Pinpoint co-founder and managing partner Marc Sasson said at the time. “In 2023, it really came down to earth.”
Fix me. So what can IT teams do to protect against these backdoor attacks? Ghai laid out a four-pronged plan: patching and updating systems, strong passwords with a move toward passwordless, multi-factor authentication, and avoiding phishing scams. He added that platform integration and continuing education and collaboration on security issues are also helpful.
Most important, when dealing with vendors, is to research when and how they’ve been breached in the past, and how they handled it. Was it a sophisticated attack, or a matter of security hygiene? If the latter, has the vendor fixed the issue? For Ghai, knowing is more than half the battle.
“Customers need to hold their cybersecurity vendors to a pretty high level of assurance in terms of their own internal security practices,” Ghai said.