Understanding “Shadow Compliance” and Supply Chain Security

  • Cybersecurity

Not many people will be familiar with the idea of shadow compliance, but it could turn out to be one of the more consequential cybersecurity trends of the post-pandemic era.

A form of special due diligence, its meaning is illustrated by a recent story of an unnamed company that was negotiating to sell its technology to a European bank, as recounted recently by Howard Taylor, CTO of security vendor Radware.

Communication between the parties progressed normally until one day the company received an unexpected call from its prospective customer saying that the bank had noticed unusual traffic emanating from its network. Could this anomaly be explained?  It transpired the bank had engaged penetration testers to probe the tech company’s network for cybersecurity issues affecting its public-facing systems.

The traffic was, it transpired, a legitimate scan conducted by the company as part of its internal security procedures, but the fact it had been asked to explain this made what was going on here embarrassingly obvious: before becoming a customer, the bank wanted to test its potential partner’s network for evidence of possible compromise or oversight.

Organisations expect to be probed for security weaknesses by cybercriminals, not other companies, and certainly not partners and friends. But that’s the thing about shadow compliance – it’s shadow compliance because you don’t know it’s happening until the company doing it tells you, assuming they ever do. In many cases, this sort of covert scanning will never be made public.

Why is this happening?

The short answer is the influence of zero trust, which CISOs take increasingly seriously. For decades, it’s been standard procedure to give supply chain partners the once over, a sort of basic due diligence that assessed their service reliability, past record, management, and financial health. In recent times, cybersecurity incidents were added to this list. When experts talk about the effect of a cybersecurity incident on reputational risk scoring, this is one of the things they are referring to.

But asking questions or looking at the past doesn’t tell you everything. As the many ransomware attacks on big brand companies underline, how secure a company looks from the outside or from a slick website isn’t the same as how secure it is. Even the most attentive companies can miss important things. The game has changed, and nothing is being taken on trust. Assumptions about security are no longer good enough.  A small but growing number of companies with the budget to hire penetration testers are subjecting their friends to evidence-based inspection.

Welcome to the era of the zero-trust supply chain.

What sort of tests are involved?

Shadow compliance is more superficial than a conventional authorised penetration test, which would probe far farther into a company’s systems and behaviour under pre-agreed rules of engagement. Neither will it involve any exploitation or illegal act. Then again, a test doesn’t always need to be comprehensive to be revealing. This is information gathering, a test without the penetration element.

Shadow compliance testing involves looking for obvious red flags such as exposed devices or suspicious traffic. It might also involve a dark web check to see whether any sensitive company data is floating around that indicates a past or undisclosed breach. When stated like this, shadow compliance sounds quite sensible. Who wants to become a customer or partner of a company that can’t secure its own data?

Who is affected?

By its nature, evidence for shadow compliance remains anecdotal. It also costs money for the company carrying out the checks so it’s unlikely to be common behaviour yet.

However, one sector that might be under more scrutiny right now is technology, not hard to understand given the rise of sophisticated attacks targeting the software supply chain such as that on SolarWinds in late 2020 and Kaseya in 2021. Attackers have realised that the technology supply chain serving thousands of customers is only as secure as its weakest link, in this case software vendors and service providers.

Other sectors that might be popular with attackers are energy, pharmaceuticals, and manufacturing and engineering where the IP is valuable. Supply chain attacks can also affect even small suppliers. The belief that only larger companies are worth targeting is an out-of-date way of understanding the problem.

An intriguing use of shadow compliance is that cyber-insurers might conduct checks on customers before agreeing to insure against their risk. Again, the evidence for this is anecdotal, but the logic is hard to avoid. Hard facts from an independent report have become a compelling way to assess real-world risk.

How should organisations react?

One response is for organisations to check their own public-facing systems using the same pen testing approach.  The objective here is to understand vulnerabilities before someone spots the same issues. It’s also worth trying to understand whether these results from this might be misinterpreted, as they were in the above Radware story.

Conclusion

It’s possible to see shadow compliance as a logical development of the way organisations are asking more questions these days. Normally this is a matter of requesting certificates or evidence that a company has conducted pen tests on its network at regular intervals. The difference with shadow compliance is that this process is done more covertly.

Not that long ago, penetration tests were seen as something most companies probably didn’t need to do. Now all companies conduct some form of penetration test, for example to achieve Cyber Essentials Plus certification or just for peace of mind. Think of shadow compliance as moving the same idea up a notch.

 

profile image of John Dunn
Written by John Dunn

John is a journalist and editor who has been covering the IT industry for over 30 years. He specialises in cybersecurity, mobile, cloud, open source, and networking. His work has appeared in a number of popular tech titles, including Personal Computer Magazine, Network World, and LAN Magazine. He helped to co-found Techworld in 2003, and he regularly writes for The Register, Which Computing, and Forbes. He’s been interviewed on BBC TV and radio, and on CBC in Canada. He tweets about cybersecurity and privacy issues.

Share