Did the NY Times fail to ensure their suppliers were cyber secure?

A common mantra about cyber security is that your security is only as strong as the weakest link. But what happens when the weakest link is outside of your control? The Syrian Electronic Army (SEA) are reportedly to of hacked the New York Times website by attacking the company that registered the domain names for the New York Times, the Huffington Post UK and Twitter.

With modern businesses having complex supply chains, problems can occur within the supply chain that affects the organisation at the top. It has happened before in the physical world, with the complexity of supply chains for meat products. In the past, fraud has taken place where cheap horse meat entered the chain instead of expensive beef and the consequences were felt all the way to the supermarkets retailing manufactured ready meals. The same goes for the cyber security of supply chains, hackers can target smaller organisations that may have weaker information security controls in place and be able to either use trusted systems to infiltrate organisations higher up the chain or manipulate the supply chain to affect those at the top, which is what the SEA did. By getting passwords that were used to control the domain settings for the targeted media organisations, the SEA was able to replace the official website with one of their own making.

An organisation can have contractual controls in place for their supply chain which ensure that they have strong cyber security defences. These controls could include asking suppliers to have a recognised information security management system in place such as ISO27001 before doing business with them or ensure industry relevant standards such as PCI-DSS are being complied with.

In addition to such controls and agreed service level agreements, organisations may request suppliers to undertake an annual vulnerability scan or penetration test to identify vulnerabilities and ensure on a regular basis that the cyber controls are working.

Organisations need to ensure that they not only deal with the cyber threats within their own organisation but be aware of the cyber security in their supply chains. Information Security professionals require a wide body of knowledge across diverse areas of security. Certifications such as the CISSP from the (ISC)2 can help those working in information security to gain the necessary awareness of the whole spectrum of security required for them to undertake their roles in protecting the organisation from internal and external threats including those arising from the use of 3rd parties.