Internet Identity

What is the extended enterprise and how does it impact organizations’ cyber security? That’s a critical question we’ll tackle in this second installment from our continued analysis of the report, “Getting Ahead of Advanced Threats” from the Security for Business Innovation Council (SBIC)[1].

What is the Extended Enterprise?

Coined years ago, the term "extended enterprise" acknowledges that organizations are no longer just made up of employees and management working under one roof, but also encompass a tightly knit network of partners, suppliers, service providers, and customers. Fast forward to the digital present, where it has taken on a whole new meaning and a whole new implication in terms of security risk. Enterprises today exchange information almost completely online with a vast ecosystem of providers and partners, and corporate data and systems are directly or indirectly connected in more ways and at more points than ever, enabled by technologies such as cloud computing, virtualization, data and transaction integration, social networking, etc.

Take your IT department as an example. They regularly connect with Domain Name Registrars and Internet Service Providers (ISPs), Third Party Application and Content Providers, Automated Clearinghouse (ACH) transaction partners, credit card processors, order fulfillment services and outsourced customer service providers, and much more.

Your Extended Enterprise Has Been Breached. But How Does That Affect You?

While this increased efficiency and seamless engagement with outside organizations in virtually all business processes is good for the bottom line, it opens enterprises to a whole new set of security issues. Any security breakdown outside of a company’s walls can instantly become a problem inside its walls.

As an illustration, let’s assume your organization processes transactions through Partner A—a payroll service or e-mail marketing firm, for instance—and that company is hacked. Now financial, customer or employee information you’ve shared with Partner A is in the hands of cyber criminals to use as they please.  As another example that may hit even closer to home, let’s assume your organization is bidding to acquire a foreign company, and the law firm handling your negotiations is penetrated by cyber spies that learn your bidding strategy. Then your company loses out on the bidding—or is forced to pay top dollar—for the foreign company. Do these examples sound far-fetched? They have all happened, many times.

Cyber criminals looking to score information about your company, employees or customers know they don’t have to go right to the source to get it. With the inherently insecure nature of the extended enterprise, that information is theirs for the taking just as long as they can find their way into any one of the partners or vendors your company shares information with. A successful targeted attack on an extended enterprise partner through spear phishing or other social engineering scheme can give them access to your data without your ever knowing it—and unless the extended enterprise partner discovers the breach and alerts you to it, you may continue business as usual without any idea that your sensitive data has been compromised.

The First Step—Identifying Points of Penetration

So now that we’ve explained how extended enterprise partners can leave gaping security holes, where do you start? The first step is identifying the departments and processes that constantly share data with outside partners. SBIC begins by identifying this in a series of charts in Section 2 (specifically chart 4, page 8) of the report, under “Business Strategy.” The chart identifies two points of weakness when it comes to extended enterprise partners:  “Information regarding outsourcing of business processes to external providers,” and, “Notice that company will be undergoing merger negotiations.”

While these are great building blocks to identifying vulnerabilities with extended enterprise partners, it’s just that, a starting point. Here at IID, we find that specifying which business partners to look at in specific departments is a much more thorough and complete way of getting to the bottom of which partners could be an access point for cyber fraud. For example, an audit of the IT, legal, sales, human resources, marketing, and research and development departments can be eye opening. IID’s Rod Rasmussen outlined this process in a Security Week article in 2010.

Sharing Information is Key

The SBIC report also emphasizes that the key to stopping cyber attacks is sharing information with everyone from government agencies to open source organizations to everyone in an extended enterprise. We at IID couldn’t agree more and we’re glad that SBIC included a special section on extended enterprises that you should be coordinating data with (we’ll get to the government agencies and open source organizations in a future post).

The report also includes a sampling of who in an extended enterprise you should share information with, specifically pointing out, “Supply chain, Business-process outsourcers and service providers.” While these are indeed some of the key extended enterprise partners, the report left quite a few out like the above mentioned IT, finance and accounting, legal, human resources, sales, marketing, and research and development departments. Not only will identifying these organizations help you track down where a data breach may occur, but it will also help you get in front of the next cyber threat by sharing information and coordinating with outside organizations. Given the ever-evolving nature of cyber threats, the more resources that can be brought to bear, the better.

If you’ve got a contracted relationship with these extended enterprise partners, consider what SBIC recommends in the report and include information-sharing obligations in contracts. The information points these organizations can provide are endless: from best practices and security tips, to attack indicators and validation of similar activity on other networks. One would be foolish to not take advantage of this “outside insight” from partners you already have an established relationship with.

The Extended Enterprise—A Blessing and a Curse

In today’s Internet-connected world, organizations routinely and necessarily share large amounts of proprietary and mission-critical information with others. While this sharing of information is a security loophole that could provide an extra avenue for cybercriminals, it is essential for business and can actually be turned into a security weapon. By arming your organization with the cyber security information and experience of dozens of organizations, your enterprise should be ready for that next cyber attack. Think of your extended enterprise not as a cyber threat, but rather a piece of actionable cyber intelligence that is always getting smarter.

What exactly is actionable intelligence and how do you find resources that are skilled in uncovering this information? Find out soon in the third installment of our six part series deconstructing the SBIC report.