CIO Success Story: Looking At the Flip Side of Third-Party Risk
What happens when hackers target you to get at your client? In the second of our series of one-on-ones with security leaders, Focal Point sits down with Stephen Held of architectural engineering firm Leo A Daly to discuss how to not be the guilty party in a cyberattack.
The monumental SolarWinds hack of 2020 – where hackers inserted malicious code into commonly used software to breach tens of thousands of government and corporate networks – taught a critical lesson: It’s not enough to secure your own infrastructure; you have to watch your whole ecosystem of suppliers.
Indeed, 62% of network intrusions start with third parties, according to a 2022 Verizon report, and 73% of organizations in a KPMG study said they’ve experienced at least one significant disruption from a third-party cyber event in the past three years.
As chief information officer (CIO) in charge of cybersecurity for Leo A Daly, a global architecture engineering firm with 800 employees and 32 mostly U.S. locations, Stephen Held (at right) stays informed on such statistics. He’s also aware of what is quite possibly the least-asked question related to third-party risk.
What happens when you’re the third party?
Third-party risk is almost always discussed from the inside looking out. Who are the software suppliers and other third parties in your cyber ecosystem who might accidentally cause you harm? It’s a vital question to ask, but what about the flip side: Is your firm posing any risk to your clients?
A client that’s large and influential or maintains a significant amount of consumer data will be a juicy target for cybercriminals. And that makes you a target, too.
This is the kind of thing that keeps Held up at night, he says, and he is determined to keep his firm from being the reason a partner gets attacked.
Focal Point had the opportunity to sit down with Held to learn more about how his organization is navigating today’s threat landscape.
[This interview has been edited for clarity and length.]
You wouldn’t think an architecture engineering firm would be prone to cyberattacks, but clearly you’re concerned about the possibilities. Why’s that?
I thought the same thing several years into my CIO career with the company.
But that changed as we increasingly saw attack vectors evolving. Hackers might not really want to get to you, but they could be targeting you to get to someone you’re connected to. Depending on who your clients might be or if you’re doing work with government entities, you could be more vulnerable to attack.
Depending on who your clients might be or if you’re doing work with government entities, you could be more vulnerable to attack.
Today, it almost doesn’t matter what industry you’re in; your partners in the public and private sectors are all asking for heightened cybersecurity, data protection, and recovery standards. For those reasons, we’ve had to make sure we are not the easiest target.
How do you manage that?
We think about the attack landscape from a couple different perspectives. For example, we have about 1,200 computers in our environment. It’s entirely possible someone might try to use those to launch a distributed denial of service (DDoS) attack. It wouldn’t necessarily have anything to do with our business. They probably wouldn’t want to steal architectural drawings; they just want control of those devices to go after someone else. So we must do our utmost to protect clients against all these scenarios.
What else are you doing to keep from being the reason a client gets hacked?
Well, besides DDoS attacks, we have to think about all the different kinds of attack vectors out there and deploy the right technologies and processes to secure them.
A lot of it connects back to software supply chain security and the software titles we use. If we have one that’s showing up in headlines as being vulnerable, like SolarWinds or MOVEit, I have to know if we have them and, if so, if we’re keeping them properly patched. That goes for all of our software since we know all software contains vulnerabilities.
[Read also: The U.S. government’s battle plan to fortify supply chains]
What keeps you up at night as a security professional?
What doesn’t keep me up? I think the most about two things: One is what I say to the outside world.
AI is being used to generate “grammatically perfect” phishing attacks. That means the indicators we’ve relied on and trained on to spot a fraud are no longer valid.
We engage in conversations like this to share cybersecurity best practices and awareness in hopes to save each other, all the while knowing we are a work in progress. Security is a moving target. As the defenses get better, the attacks get more sophisticated. I recently heard how artificial intelligence (AI) is being used to generate “grammatically perfect” phishing attacks. That means the indicators we’ve relied on and trained on to spot a fraud are no longer valid.
The other thing – and it’s perhaps scarier to me – is that other firms much bigger than ours with more resources are still being breached. I watch the time and stress they put in when they’re hit, and it’s daunting. No one wants to have to send notices to clients alerting them to a breach. I’m always trying to get ahead of that.
What technology are you applying to secure your network?
We apply a mix of security technologies, including security incident event management (SIEM), intrusion detection, intrusion mitigation, and endpoint solutions. We’re using multifactor authentication (MFA) more than passwords. We separate administrator rights. And we use a network-attached storage (NAS) and file server consolidation platform that allows a geographically dispersed environment and to synchronize files while utilizing some baked-in security features.
We also have every one of our employees go through annual security training, and part of that regimen includes a section on insider threats.
Have you had any close calls with employees being scammed?
Yeah, what we’ve seen lately is employees receiving text messages or emails that supposedly come from CEOs or CFOs saying things like, “Hey, I’m trying to give out some gifts. Go out and buy a bunch of $100 Amazon gift cards and send them to me.”
We did have one employee that actually purchased those gift cards, which we then luckily caught because the employee went to the CFO and asked, “What do you want me to do with them now?”
We have a fairly consolidated accounting department that helps keep a tight rein on stuff like that, but we also train our employees to be on the lookout for those kinds of scams. And our employees have been pretty good about notifying us when they see social engineering things happening.
Is zero trust part of your cybersecurity strategy?
We’ve talked about adopting a zero trust mentality. But it’s quite a lot to take on and it’s really counter to working in a highly collaborative environment. We want to do it. We want to subscribe to zero trust. But we’re not there yet. It would require a major shift in network management, and that will take time.
TO LEARN MORE
Check out other exclusive interviews with security leaders in our “Success Stories” series.
- CISO Success Story – Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula
- CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
- CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
- CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring