Insecure Connections: Enterprises hacked after neglecting third-party risks

It is said that an enterprise is only as secure as its weakest link. Today, that weak link often turns out to be partners, suppliers, and others with persistent network and application access.

These weak links have certainly placed third-party security into the spotlight. As we've seen this year, multiple breaches have been the direct result of security lapses at partners and third-party suppliers or vendors. Most notably, the Target breach was reportedly the result of a compromised contractor. While Target Corp. was the most visible, it certainly wasn't the only breach this year involving the IT supply chain.

[How to achieve better third-party security: Let us count the ways]

This spring, business research firm Deltek warned customers that it had faced a breach where the attacker gained access login credentials including, perhaps, the credit card information of 25,000 users. Also this spring, Houston-based offshore contract driller Rowan Companies reported that they detected that their systems were breached and that that breach affected information not only about its employees, but also vendors and contractors.

And so it goes, over and over -- enterprise data is placed at significant risk through the security slips of trusted partners.


Yet, concern for third-party security dips

You wouldn't think there was much to these third-party security risks when looking at the data within our 2014 U.S. State of Cybercrime Survey, which found third-party security slipping. The U.S. State of Cybercrime Survey is an annual survey by CSO Magazine with help from the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC. This survey is based on 500 US executives, security experts, and others from the private and public sectors.

The survey found fewer organizations -- 44 percent this year compared to 54 percent last year -- are bothering to put in the effort to vet the security of third party providers and others in their IT supply chain.

[Target credential theft highlights third-party vendor risk]

Interestingly, despite the steady news of third-party security breaches, roughly 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks. Even supply-chain partners are not secured. A startling 92 percent of enterprises don't have any supply chain risk management abilities in place. "Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It's an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains," the report concluded.

That will only grow increasingly true as more data and more systems are connected. Jay Jacobs, vice president at the Society of Information Risk Analysts would agree. "What we are seeing speaks to the weakest link in the security chain," says Jacobs. "The attackers don't have to attack anyone directly. Many times they really aren't even targeting any specific victim, they're targeting any organization with anything of value. And when they find a weakness they will exploit it in an opportunistic way, and that can easily include attacking partners."

An ounce of due-diligence goes far

Not all enterprises can afford to be so nonchalant when it comes to third-party risks, especially those that work in heavily regulated industries such as healthcare, payment processing, financial services, and others.

"You absolutely have to look at the security of your third party partners," says Eric Cowperthwaite, former system director, enterprise security risk management and CISO at Providence Health and Services. "You don't have to look at everyone at first, but you have to at least start with looking at those partners who could create the most risk for your organization.

[Why the reseller ISS hack justifies third-party risk assessments]

"When trying to determine whether they were a high or a low risk, one of the primary tools we used was a really simple questionnaire that asked a set of questions that we thought were important things that would indicate a mature program was in place, such as having a designated security officer, a corporate security policy. Did they install antivirus on their computers?" says Cowperthwaite. Should the vendor fail any of those questions, then they'd earn themselves a much more thorough vetting, he explains.

Beyond questionnaires, the next step CISOs can take is to implement security controls to ensure more secure access to protected systems: does the vendor employ strong, two-factor authentication, do they monitor and log user activity, and encrypt their network traffic.

PCI DSS sets sights on third-party risks

The Payment Card Industry Data Security Council is taking steps to bolster third-party security. In the most recent version of the PCI Data Security Standard (PCI DSS), new requirements were added that aim to reduce third-party payment card risks from outsourced providers, including having security requirements detailed in contractual agreements between businesses that accept credit card payments that rely on outsourced payment processing.

[5 ways helping third-party providers build their security program builds your value]

Additionally, the PCI council's Third Party Security Assurance SIG is currently finalizing an information supplement, Third Party Security Assurance. However, the supplement, already past due for release, is now scheduled to be released sometime this quarter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetthird party riskssecuritysecurity awarenessSecurity LeadershipPCI DSSsupply chain security

More about Carnegie Mellon University AustraliaCSOISS GroupMellonPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place