No enterprise is an island. In a connected world, a business cannot function without multiple relationships with third parties — outside vendors, contractors, affiliates, partners and others.
That can be a very good thing for growing a business. But it can be a very bad thing for security. While the careless insider still tends to be viewed by experts as the weakest link in the security chain, the third-party contractor (with its own group of potentially careless insiders) is now sharing that spot, creating what is somewhat euphemistically called a major "pain point."
Ron Raether and Scot Ganow, attorneys with Faruki Ireland & Cox, noted in a recent white paper for NetDiligence that while firewalls, user credentials and strong passwords remain important, the protection they provide is incomplete.
The exploding number of online access points to companies means, "our walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet (think an employee badge without a picture) to pass through that wall," they wrote, in the paper titled, "Traitors in Our Midst: The risk of employee, contractors and third parties in the age of the Internet of Things and why security in depth remains critical to risk management."
The high-profile breach last December of retailer Target, enabled by an email phishing attack on a heating, air conditioning and refrigeration contractor, is just one example — an employee of that contractor clicked on a malicious link, leading to the compromise of millions of credit cards.
Paul Trulove, vice president of product management at SailPoint, said similar breaches are, "all too common, especially within the communications and IT sectors. Just last week, AT&T disclosed that the personal information of its mobile customers was compromised by one of its third-party vendors," he said. "The breach allowed employees of a service provider to access customer account information, including dates of birth and Social Security numbers."
It is not a new problem either. MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, wrote nearly a year ago in SearchSecurity that, "almost without exception, a third-party vendor or affiliate is involved," in a successful cyberattack.
There are a variety of reasons for the pain. Jody Westby, CEO, of Global Cyber Risk, said a major one is that too many companies have not focused on security in contracts with third-party associates. "Most companies have barely begun to get their arms around managing security issues associated with arms-length outsourcing IT functions and business processes," she said.
"Companies find they have little bargaining power in requesting security measures from these providers. The third-party market blossomed and seized the opportunity before its customers thought to require security measures as part of the bargain. But the reality is that third-party providers are rich targets," she said.
Sign up for CIO Asia eNewsletters.