Despite record breaches, secure third-party access still not an IT priority
Survey finds execs in all industries apathetic about mitigating risk
By Mark Carrizosa, Special to ThirdCertainty
Target found out the hard way that third-party suppliers, contractors and partners can pose a profound security risk. Yet some three years later, that lesson has not resonated as it should.
You’ll recall Target was materially disrupted after it infamously lost sensitive data for some 110 million customers. The intruders got deep access to the retailer’s customer records by spear phishing a third-party HVAC systems subcontractor who had been granted privileged access to the company’s network. That was back in 2013.
Earlier this year, Deloitte published survey results showing 87 percent of respondents had faced a third-party-related disruptive incident in the past two to three years. And earlier this month, the Ponemon Institute published poll results of 600 IT and security professionals, of whom 75 percent assented that the risk of a third-party related breach is serious and increasing.
The Soha Third Party Advisory Group recently conducted a similar poll of more than 200 enterprise IT and security C-Level executives, directors and managers from enterprise-level companies. This advisory group is comprised of experts from Aberdeen Group, Akamai, Assurant, BrightPoint Security, CKure Consulting, Hunt Business Intelligence, PwC and Symantec.
Breaches happen to other people
What we found was troublesome. Just 2 percent of respondents said they considered third-party access a top priority in terms of IT initiatives and budget allocation. It appears that the negative news stories about third-party related breaches — not just at Target, but also at CVS, American Express, Experian and elsewhere — has done little to motivate today’s IT personnel. Remarkably, 62 percent of respondents said they do not expect their organization to be the target of a serious breach due to third-party access.
Interestingly, 56 percent acknowledged they had concerns about their ability to control and/or secure their own third-party access. To be sure, the complexity of providing secure access to applications spread across many clouds or in multiple data centers, and to contractors and suppliers who do not work for you, using devices IT knows nothing about, is a major challenge.
Providing third-party access is difficult
Many of the IT professionals we polled acknowledged that providing third-party access was a complex and tedious process. They reported that IT needs to touch five to 14 network and application hardware and software components to provide third-party access. This can include touching several types of systems, such as VPNs, firewalls, directories, and more. The expectation of more than 40 percent of the respondents is that this complexity won’t soon subside.
So what can, and should, companies do? When evaluating a secure third-party access platform, it’s important the solution be able to navigate and manage a complex maze of people, processes and technologies. The solution should provide a convenient, simple and fast way to manage the platform, policies and security.
The divide between IT priorities and the need to mitigate third-party data breaches affects all industries. IT professionals must recognize that the threat from third parties accessing their infrastructure is very real. The good news is that with the right access platform with the appropriate feature sets, organizations can significantly mitigate their risk.
More stories related to third-party security:
Third-party vendors are the weak links in cybersecurity
6 steps to stop hacks via a contractor or supplier
Trusted third parties can leave cracks in your cyber defenses