Carlos Hernández Gil

Organizations today work with a multitude of vendors to outsource various processes in their operations, from raw data storage to security, accounting, customer support to human resources, among other examples. Such interconnectivity generates significant benefits by making processes faster and more efficient, employees more productive and the companies themselves more competitive. However, a company's links with its suppliers also greatly increase its exposure to digital risks. Failures in a vendor's security defenses and practices, or those of its third parties, can put the company's data, systems, and networks at risk, even if the company has relatively robust defenses. It is difficult to generalize because the figures can vary greatly depending on the region, sector, or type of company, but according to a study by the public entity ICEX Spain Export and Investment, the average Spanish company relied on at least 100 suppliers in 2021. And these numbers will continue to rise as business ecosystems. At what point do suppliers become targets for cybercrime? In their constant evolution of targets and tactics, this fact has not gone unnoticed by cybercriminals. Although there are different types of cybercriminals (such as those motivated by revenge or by the simple desire to show that they are capable of doing so; hacktivist profiles, which always have an ideological component behind them; state-sponsored actors; or those who engage in corporate espionage, among others), they all share the same motivation: financial gain. About 95% of the more than 5,000 confirmed information leaks throughout 2022 were economically motivated. And 62% of them occurred through a third party. Putting on the cybercriminal's hat for a moment, let's think: why attack a company with apparently solid defenses, when I can attack another company with less robust defenses, which has access to sensitive information that I can then take advantage of, and which will cause a domino effect that will wreak havoc on a multitude of companies worldwide? Less effort and much, much more profit. A brief history of supply chain attacks Unfortunately for the good guys in this story, the math is clear. Thus, the number of supply chain attacks has risen sharply in recent years. Although there are many and varied examples, here are just a few of the most prominent ones. If we go back ten years in time, a very famous attack was suffered by the American department store chain, Target, after the theft of credentials from a supplier of air conditioning systems who was doing work in some of its centers. This incident led to the theft of 40 million credit cards and the personal information of 70 million customers. The numbers may not attract much attention when compared to more recent attacks, but at the time it made a big impact. A series of high-impact attacks followed in the next few years: In 2015, T-Mobile suffered collateral damage from the attack on Experian, one of its providers, which resulted in the theft of personal information of 15 million users. In 2016, Uber suffered the theft of confidential information of 57 million users and drivers, as a result of obtaining credentials in a code repository with which they then accessed a cloud storage provider. In 2017, Equifax suffered an incident through an unpatched vulnerability in a third-party software application. Attackers managed to steal the personal information of more than 140 million people. In 2018, it was the Marriott hotel chain that suffered the theft of personal information of more than 500 million guests through an attack on the booking platform it used for its hotels. ⚠️ However, the attack that probably put supply chain attacks back on every company's radar was the one suffered by SolarWinds in 2020. This software company offers SaaS solutions in a variety of areas. Its most widely used product was the victim of an attack by which attackers ended up compromising more than 18,000 organizations worldwide, both public and private, with a strong impact in the U.S. where more than 400 Fortune 500 companies were affected. And so we come to 2023. Last April, in its weekly threat report, our Threat Intelligence team analyzed the cl0p group, highlighting its ability to cause significant operational and reputational damage by leaking confidential documentation stolen from a multitude of victims worldwide. It specifically warned about one of the techniques used, which consists of exploiting vulnerabilities in specific products such as the Accellion FTA file transfer system or the GoAnywhere MFT secure file transfer tool, which had an impact on more than 130 organizations worldwide. Shortly afterwards, in June of the same year, the cl0p group made all the cybersecurity news headlines with its attack on the MOVEit file transfer tool. Despite being a technology whose popularity is limited to the United States, the impact of this attack has been global, affecting more than 2,000 organizations (including British Airways, the BBC and Tesla, among others) and more than 60 million people. Cyber Security How DRP (Digital Risk Protection) solutions protect your business from cyberthreats November 6, 2023 How to protect oneself Threats to the supply chain will continue to occur. That's why it's important to integrate third-party risk management into the day-to-day operation of companies, drawing on effective practices such as: Assessing the security posture of third parties. Eighty-three percent of those surveyed by Gartner responded that they discovered risks in their suppliers after onboarding them into their supply chain. This highlights two things: the relevance of understanding the security risks that a supplier may pose to our business prior to onboarding; and that traditional methods for measuring that risk, such as security questionnaires, while useful, are not the most effective solution and it is better to resort to assessments based on objective data. Continuous monitoring of the entire supply chain. Once incorporated into our supply chain, it is necessary to maintain risk monitoring throughout the life of the relationship by creating automatic alerts that warn us when new risks are identified or when the supplier's risk profile changes. This in turn solves another of the weaknesses of traditional methods, which tend to provide a static picture of the risk at the time the analysis is performed. Third-party supplier monitoring. As we have seen above, it is increasingly common for a supplier to be compromised from a third party. It is therefore crucial that supply chain monitoring also extends to suppliers of our vendors (such as SaaS applications or cloud hosting providers). This allows us not only to identify risks when they occur, but also to be clear about where the risk of our suppliers' technology stack is concentrated. Reporting in business terms. Fighting risk in the supply chain is a task that involves a multitude of areas and profiles within the same organization. For this, as in many other areas, communication plays a fundamental role. Being able to move from a conversation with technical metrics and Cyber Security jargon to one with business terms will facilitate communication with all stakeholders and their alignment to achieve the common goal. Fight third party risk with Telefónica Tech Improving the resilience of your supply chain and combating the hidden threat to your business posed by third party risk is possible with Telefónica Tech. Within our NextDefense Cyber Threat Intelligence service portfolio, we offer the Third-Party Risk service in which we combine the technology of Bitsight, a leader in the field of security ratings, with the professional services of our global DOC, to enable our customers to: Continuously monitor the security level of their suppliers, measure the security controls of their suppliers, mitigate risk in the supply chain, quantify and communicate risk in a language understandable by all leaders of the various security functions in the organization. Our Third-Party Risk service also includes the evaluation of potential suppliers before engaging in a business relationship with them. This allows us to identify potential security risks and make informed decisions about whether or not it is safe to work with them. This comprehensive and proactive approach enables us to help our customers strengthen their supply chain and protect their business from potential external threats. This not only benefits our customers, but also contributes to raising security standards throughout the supply chain. Cyber Security Pentesting and Security Assessment: two sides of the same coin in Cyber Security October 26, 2023

Digital transformation has long since gone from futuristic news headlines to reality. In today's business ecosystem, the digitization of operations is essential in practically all organizations because of the benefits it brings: extending their reach to a greater number of customers, improving satisfaction, optimizing processes, reducing costs... Not only for the companies themselves, but also for their customers, employees, and suppliers. However, the convenience and efficiency of moving on this digital plane brings with it other less desirable consequences, such as the exponential increase in digital assets and, above all, their exposure to digital risks. In this context, the Digital Risk Protection concept (commonly known as DRP) is particularly relevant, helping companies to know and protect their digital assets without the need for in-depth technical expertise. But, what are digital risks and why are they important? Let's start from the beginning: what are digital risks? We can define them as the potential damage or negative impact resulting from the increasing reliance on digital tools. Companies are already used to facing traditional risks such as physical hazards (fires, natural disasters, accidents) or disruptions in their supply chain. These risks are tangible; have a localized impact (e.g., a fire in an office or a demonstration at the entrance of a warehouse); and are well known, allowing procedures (physical security measures, safety protocols, disaster recovery plans) to be put in place and insurance to mitigate them. In contrast, digital risks are of a changing nature, as technologies are constantly developing; they can affect a company's operations, reputation and customers around the world; because of their complexity, insurance does not always cover the financial or reputational consequences (although this is also something that is advancing by leaps and bounds); mitigation requires specialized measures, such as regular software updates, removal of fraudulent content or content that should not be accessible from the Internet, employee awareness, intrusion detection systems or incident response plans. Companies must be able to effectively manage both traditional and digital risks to ensure resilience and continuity, but because of their characteristics, they require different approaches and expertise. Prevention is better than cure This could be the motto of any Digital Risk Protection service, as its main purpose is to act as a shield to protect a company's digital footprint against digital risks. These digital risks can cover a wide range of threats, as for example: Data leaks: the exposure of sensitive information can occur deliberately (exfiltration following a ransomware attack, hacktivist attack, insider) or fortuitously (carelessness, security breaches). In any case, data leaks they are a real headache and expose companies to major financial and reputational problems. Brand abuse: the unauthorized use of a company's brand, logo, or any other element of intellectual property for the purpose of carrying out scams targeting its customers or suppliers through impersonation on social networks, websites, emails, or other media, which can have an impact on brand image and corporate reputation. Cyberattacks: deliberate attempts to compromise the security of systems, gain unauthorized access, steal confidential data, disrupt operations or other malicious purposes, through malware, phishing, or attacks to exploit vulnerabilities. As we can see from these examples, threats can in turn have an impact at various levels: Financial: IBM's annual report on the cost of a data leak already puts it at an average of $4.45 million, representing a 15% increase over the last three years. But this is not the only example of financial impact: the loss of funds due to fraudulent transactions; the payment of fines for non-compliance with regulations or penalties for non-compliance with commitments; the reduction of business due to the paralysis of activity; the payment of ransom to regain access to data after a ransomware attack or the purchase of exfiltrated data, which, although not recommended practices, can occur in times of desperation. Legal: Regulatory pressure is increasing, with significant penalties for non-compliance. The Marriott hotel chain was affected by a data leak that resulted in a £99 million penalty by the UK authorities. Operational: systems downtime or loss of access to data can result in a disruption of a company's normal business. A clear example was the cyber-attack suffered by Colonial Pipeline, which paralyzed its operations for six days and caused widespread fuel shortages in the southeastern United States. Reputational: In general, security incidents have a negative impact on the perception of a company, sometimes resulting in a loss of trust from partners or customers and increased scrutiny from regulatory bodies. They can also affect the market value of listed companies, as in the case of SolarWinds, whose shares lost more than 20% of their value in the week following the revelation of the attack. How a Digital Risk Protection service Works Having a clear picture of the level of impact that digital risks can have, it is important to have a Digital Risk Protection service to help us manage them properly. We will help you identify the characteristics you should look for in order to find out which service is best for you: Asset identification: as we mentioned at the beginning of the post, the exponential increase of assets sometimes makes it difficult for a company to have a map of its digital footprint. Therefore, the first point of a good DRP service should be the ability to make a survey of these assets. Monitoring: based on this inventory of assets, all sources are then monitored for mentions or content related to these assets that could pose a threat to the company. At this point, the important thing is to have a wide range of sources that is always kept up to date, since, due to the nature of cybercriminal activity, the sources are very changeable. Alerts: when suspicious activity or content is detected, it is crucial to inform the customer so that he can take appropriate action. To this end, real-time alerts are generated with all available contextual information and indications on actions to be taken. Response: finally, it is vital that the service has a specialized team and response capabilities to mitigate the impact of threats. And, above all, all of these points must be made on an ongoing basis. How a DRP service can help you We could list several benefits, but we will simply highlight a few of the main ones: Identify security gaps: it is difficult to protect what we do not know. Identifying exposed assets helps minimize successful attacks by reducing the attack surface. Protect brand and online reputation: continuous monitoring of channels related to your industry or where your company has a presence can help prevent and identify threats that damage your company's reputation. Mitigate cyberattacks: the findings of a PRA service can inform other teams to take appropriate measures and block access to systems or resources that may be vulnerable, thus avoiding security incidents. Reduce costs: in addition to avoiding the financial consequences we have seen above, having an outsourced service allows us to save on hiring profiles for which there is a lot of demand and little supply. Comply with regulatory requirements: one of the main assets of companies is information (about their business, their customers, their suppliers...). A DRP service helps to protect this information and continuously monitors to identify potential risks that affect regulatory compliance. Improve security posture and resilience: ultimately, all actions performed by a DRP service are aimed at protecting digital assets and information, which strengthens the security posture and improves the resilience of enterprises. And how can Telefónica Tech help you? Fortunately, you don't need to have the capabilities in-house or advanced technical expertise to properly manage digital risks. You simply need to have a trusted partner with an offer tailored to your level of maturity and your requirements. Telefónica Tech has the professionals and experience to be your trusted partner. Within our NextDefense service portfolio, our Digital Risk Protection service meets the characteristics we have discussed in this post: we help you identify your assets, we have access to a wide range of sources (internal, open web, deep and dark web, proprietary thanks to our partners’ ecosystem) that we monitor continuously, our team of analysts detects those issues that may negatively affect your business, analyzes them both manually and with the help of advanced AI and ML techniques, contextualizes them and we report to you only those that may pose a threat to you, reducing the noise and allowing you to focus your resources where they matter. and finally, our specialized fraud prevention team works on mitigating and removing the threats that affect you. In this way, we cover end-to-end digital risks with a service that adapts to your needs and has a predictable and flexible cost model that scales with your business. Cyber Security Cyber Security strategies to protect the financial sector October 10, 2023