It is said that an enterprise is only as secure as its weakest link. Today, that weak link often turns out to be partners, suppliers, and others with persistent network and application access.
These weak links have certainly placed third-party security into the spotlight. As we've seen this year, multiple breaches have been the direct result of security lapses at partners and third-party suppliers or vendors. Most notably, the Target breach was reportedly the result of a compromised contractor. While Target Corp. was the most visible, it certainly wasn't the only breach this year involving the IT supply chain.
This spring, business research firm Deltek warned customers that it had faced a breach where the attacker gained access login credentials including, perhaps, the credit card information of 25,000 users. Also this spring, Houston-based offshore contract driller Rowan Companies reported that they detected that their systems were breached and that that breach affected information not only about its employees, but also vendors and contractors.
And so it goes, over and over — enterprise data is placed at significant risk through the security slips of trusted partners.
Yet, concern for third-party security dips
You wouldn't think there was much to these third-party security risks when looking at the data within our 2014 U.S. State of Cybercrime Survey, which found third-party security slipping. The U.S. State of Cybercrime Survey is an annual survey by CSO Magazine with help from the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC. This survey is based on 500 US executives, security experts, and others from the private and public sectors.
The survey found fewer organizations — 44 percent this year compared to 54 percent last year — are bothering to put in the effort to vet the security of third party providers and others in their IT supply chain.
Interestingly, despite the steady news of third-party security breaches, roughly 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks. Even supply-chain partners are not secured. A startling 92 percent of enterprises don't have any supply chain risk management abilities in place. "Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It's an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains," the report concluded.
That will only grow increasingly true as more data and more systems are connected. Jay Jacobs, vice president at the Society of Information Risk Analysts would agree. "What we are seeing speaks to the weakest link in the security chain," says Jacobs. "The attackers don't have to attack anyone directly. Many times they really aren't even targeting any specific victim, they're targeting any organization with anything of value. And when they find a weakness they will exploit it in an opportunistic way, and that can easily include attacking partners."
Sign up for CIO Asia eNewsletters.