No enterprise is an island. In a connected world, a business cannot function without multiple relationships with third parties -- outside vendors, contractors, affiliates, partners and others.
That can be a very good thing for growing a business. But it can be a very bad thing for security. While the careless insider still tends to be viewed by experts as the weakest link in the security chain, the third-party contractor (with its own group of potentially careless insiders) is now sharing that spot, creating what is somewhat euphemistically called a major "pain point."
Ron Raether and Scot Ganow, attorneys with Faruki Ireland & Cox, noted in a recent white paper for NetDiligence that while firewalls, user credentials and strong passwords remain important, the protection they provide is incomplete.
The exploding number of online access points to companies means, "our walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet (think an employee badge without a picture) to pass through that wall," they wrote, in the paper titled, "Traitors in Our Midst: The risk of employee, contractors and third parties in the age of the Internet of Things and why security in depth remains critical to risk management."
The high-profile breach last December of retailer Target, enabled by an email phishing attack on a heating, air conditioning and refrigeration contractor, is just one example -- an employee of that contractor clicked on a malicious link, leading to the compromise of millions of credit cards.
Paul Trulove, vice president of product management at SailPoint, said similar breaches are, "all too common, especially within the communications and IT sectors. Just last week, AT&T disclosed that the personal information of its mobile customers was compromised by one of its third-party vendors," he said. "The breach allowed employees of a service provider to access customer account information, including dates of birth and Social Security numbers."
It is not a new problem either. MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, wrote nearly a year ago in SearchSecurity that, "almost without exception, a third-party vendor or affiliate is involved," in a successful cyberattack.
There are a variety of reasons for the pain. Jody Westby, CEO, of Global Cyber Risk, said a major one is that too many companies have not focused on security in contracts with third-party associates. "Most companies have barely begun to get their arms around managing security issues associated with arms-length outsourcing IT functions and business processes," she said.
"Companies find they have little bargaining power in requesting security measures from these providers. The third-party market blossomed and seized the opportunity before its customers thought to require security measures as part of the bargain. But the reality is that third-party providers are rich targets," she said.
Another reason is that the access of third parties is not always tracked as well as it is with regular employees. "Based on a relationship's longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust," Ulsch wrote.
Trulove agrees. "They are not salaried employees, so they often bypass HR when entering an organization and are not tracked through any centralized system," he said. "Ironically, a lot of contractors have the same access as a permanent employee -- or even deeper access in cases where an IT function is being outsourced."
A third is that outsiders generally bring their own hardware and software with them, which has, and will continue to be, used in other networks that may not have been secure -- something experts call "poor hygiene."
That problem can be exacerbated by the reality that companies focus more on cost than on security when outsourcing services. James Arlen, senior security consultant with the Leviathan Security Group, calls it a "maturity gap," where companies outsource to vendors that are "lean, mean and cheap ... but are the weak link through which bad things happen."
And according to Trulove, the use of third parties is increasing. He cited statistics that show contract workers have increased from less than a half of 1% to 2.3% since the 1980s; and that 42% of employers intend to hire temporary or contract workers this year -- up 14% over the past five years.
How can companies lower those risks. There are a number of ways. Among the basics are to change the passwords on every connected device a company and its contractors buy and to use both risk-based and multi-factor authentication -- the kinds of things Arlen calls "Infosec 101."
There is obviously much more to good security than that, he said, "but we are not doing a good job of the basics, which we've known in detail for the last 15 years."
Beyond the basics, experts say it is mandatory for companies to pay much closer attention to their contracts with third parties -- Service Level Agreements (SLA) or Business Associate Agreements (BAA).
Ulsch wrote that those contracts should, at a minimum, address the following components:
- Information security;
- Information privacy;
- Threat and risk analysis;
- Compliance obligation range;
- Enforcement mechanisms;
- Internal audit access and disclosure requirements;
- Foreign corrupt practices management.
Raether and Ganow recommend that a BAA should require third-party contractors to, "comply with the same security framework imposed within the company." And, "where appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits."
Trulove offered several recommendations for what he called a, "governance based identity management strategy," that include:
Even with all that, Ulsch noted that protecting the integrity of information remains the primary responsibility of the company. "While various regulations may also hold third parties accountable, never assume that the obligation of compliance is assignable to another company," he wrote.
Finally, Arlen said a major weakness in BAAs or SLAs is that too often they are, "either focused on a specific compliance regulation -- be it PCI or HIPAA -- which is itself not a 'security' thing but rather a 'cover-asses-in-these-specific-ways' thing.
"The fix we need is meta-compliance -- actual security rather than theatre that smells like security," he said.