Plan now for a cyber attack… on your vendors!

Published on 15th September 2021 Author: Rob Black

Were it an actual word (it isn’t), I would be known as an “audiobookaphile.” That is, someone who is enthusiastic about audiobooks. I listen to them a lot.

I listen while driving, while shaving, while grocery shopping, and while doing things around the house. I even listen to them when my wife is adding things to my “honey do” list. (Sorry, Rach!).

Thankfully, my audiobook habit is free. That’s because I borrow the books from the Boston Public Library, through a service that is available to all Massachusetts residents.

Rather than the more popular Audible – an Amazon company with which I have a love/hate relationship – the BPL uses an app called OverDrive. It has a terrific selection and I make great use of it. Last month, having just finished Dale Carnegie’s classic, How to Win Friends and Influence People, I went to check out Extreme Ownership, by Jocko Willink.

Uh oh. I couldn’t log in, and instead received a weird authentication message. I tried to reauthenticate. No luck. I tried again. Nope. Maybe I had the wrong credentials. Still nothing.

I continued trying throughout the day and was getting pretty frustrated. Extreme Ownership was finally available to me after months of waiting and I could feel the clock ticking on my two-week borrowing window.

Then I saw the message on the BPL web site: the library was under a cyberattack.

That’s right … one of my “key suppliers” had been knocked offline by the bad guys. Fortunately, I had many other available options: Audible, Hoopla, paying attention to my wife, etc.

All of which got me thinking about you, a business owner, who can be similarly sidelined if a critical vendor is shut down, immediately and without warning. If that happens, and unlike my OverDrive adventure, the stakes are much higher and the available substitutes far fewer.

So, what to do? Some suggestions…

#1. Develop a standby plan.

A standby plan involves figuring out – before the fact – how you would access other suppliers in the event that a key vendor becomes incapacitated. You can approach this in several different ways:

“Hot standby” means that you can switch over without hardly missing a beat. For example, if you run a data center in your office and you lose power, a hot standby means that you have everything already replicated on AWS (for example). At that point, switchover simply involves changing the DNS routing and moving until the local problem is fixed.

“Warm standby” is less turnkey. In this case, the infrastructure is already provisioned, but some manual cut-over and/or spinning up of resources is required. Usually, service would be restored in hours, rather than minutes.

“Cold standby” in the example above means that your data is backed up and you have contracts in place for substitute infrastructure. But none of this is built or ready to go, and you will likely experience significant downtime.

Finally, there is “alternative standby,” an approach that is even colder than cold standby (assuming that is possible). Here, your data is backed up and you may have some plans in place, but there are no contracts and the infrastructure needed does not yet exist.

So, which approach is best? As is often the case, it depends; you need to find the balance between acceptable cost and allowable downtime.

The Boston Public Library’s audiobook lending system can afford to limp along (if not shut down entirely) for a while. Your web-based sales engine, on the other hand, may well justify having hot standby in place.

#2. Develop a resiliency plan.

A backup plan is focused on sourcing alternative suppliers. A resiliency plan is about predetermining how you would manage if the function in question were simply unavailable.

For example, let’s say you rely on Slack for internal communications. You’re not going to switch your company over to a new vendor if Slack is down for a while – but you still need to communicate with each other in the meantime. What’s your fall back? Email? Zoom? Notes tied to rocks?

In this and any number of other unexpected and potentially harmful situations, the worst-case scenario is waiting until the problem is actively occurring to begin considering options.

#3. Evaluate your suppliers.

Many companies maintain historical relationships with vendors that they no longer need or even use. When an outage of some type occurs, and before you reflexively move to restore service, first make sure that you’re not better off shutting things down and walking away.

I remain a fan of Overdrive but going without it for a period of time has forced me to consider other, possibly better, options. The same kind of thing may be true with your vendor relationships.

Conclusion

I write regularly about the potential for your business to be hacked, spoofed, ransomed, or otherwise infiltrated by the bad guys. But the fact is, your vendors can also fail in any number of ways, many of which can leave you vulnerable to loss of data, temporary shutdown, or worse.

The solution? Preplanning. While you may have little control over your vendors’ cyber security practices, you have complete control over your own preparedness in managing their missteps.

And speaking of missteps, if I don’t check off a few more items on the honey do list, this may be the last you ever hear from me.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).