Hacked F-35 Fighter Info from Australian Contractor Exemplifies Third-Party Risk in Cybersecurity

Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.

This past week we learned that hackers had access to the network of a relatively small company that is a contractor for the Australian Signals Directorate for almost a year. The hackers were able to exfiltrate roughly 30GB of data including data about sensitive United States military assets such as “restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.” Read more about the attack here: Hackers steal restricted information on F-35 fighter, JDAM, P-8 and C-130

This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity

For yesterday’s example of third-party risk see Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans.

Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans

Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.

This past week we learned that the North Koreans stole the United States’ war plans for battle with North Korea. How did they do this? By cyber attack — not on the United States, which likely had the plans fairly well secured — but by cyberattack against the United States’ “partner” in this endeavor, the South Koreans, with whom the US had shared its plans. Read more about the attack here: ‘Ridiculous Mistake’ Let North Korea Steal Secret U.S. War Plans

This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity

Checklist: Managing Third-Party Risk in #Cybersecurity

If I timed this right, when this post publishes, I will be about to present at the ISACA CSX 2017 North America Cybersecurity Nexus Conference in Washington, DC. My talk is titled Legal Issues Associated with Third-Party Risk.

I am publishing this post with the #CSXNA and #CyberAware hashtags in the title so that conference attendees can find it on Twitter as I turned in the slides a few weeks ago and just this morning thought of creating a checklist. Hope you find this helpful and here are the full slides.

ISACA Checklist - Process for Managing Third-Party Risk

Here are a few tweets from earlier:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs

The FTC and Uber have settled the enforcement action the FTC brought against the company. This action stems from Uber’s data breach of more than 100,000 individuals’ PII despite its promises that their data was “securely stored within our databases.” The FTC found this promise was misleading when compared with the actions the company was really taking. In settling the dispute, Uber entered into a Consent Decree that Continue reading “Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs”

Critical Steps Companies Must Take to Comply with New York’s Cybersecurity Rules – Ethical Boardroom

Winter2017New York’s Cybersecurity Regulations went into effect on March 1, 2017 and their impact could reach farther than you think — including to small and mid-sized companies that do not do business in New York and are not in the financial services industries. And, they require direct involvement by the Board of Directors. Is your company ready?

In my latest Ethical Boardroom article, I explain

  1. how these Cybersecurity Regulations can impact businesses of all sizes, in all industries, and all around the world,
  2. what specific steps regulated companies must take to be in compliance with the Cybersecurity Regulations, and
  3. what these Cybersecurity Regulations mean for nearly all companies.

Here is the full article from the Winter 2017 edition (page 140) which is available with free registration to the Ethical Boardroom website: Getting to Grips with New York’s Cybersecurity Compliance Rules

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.