Despite record breaches, secure third-party access still not an IT priority

Survey finds execs in all industries apathetic about mitigating risk

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Tar­get found out the hard way that third-par­ty sup­pli­ers, con­trac­tors and part­ners can pose a pro­found secu­ri­ty risk. Yet some three years lat­er, that les­son has not res­onat­ed as it should.

Ed note_Soha Systems_Mark CarrizosaYou’ll recall Tar­get was mate­ri­al­ly dis­rupt­ed after it infa­mous­ly lost sen­si­tive data for some 110 mil­lion cus­tomers. The intrud­ers got deep access to the retailer’s cus­tomer records by spear phish­ing a third-par­ty HVAC sys­tems sub­con­trac­tor who had been grant­ed priv­i­leged access to the company’s net­work. That was back in 2013.

Ear­li­er this year, Deloitte pub­lished sur­vey results show­ing 87 per­cent of respon­dents had faced a third-par­ty-relat­ed dis­rup­tive inci­dent in the past two to three years. And ear­li­er this month, the Ponemon Insti­tute pub­lished poll results of 600 IT and secu­ri­ty pro­fes­sion­als, of whom 75 per­cent assent­ed that the risk of a third-par­ty relat­ed breach is seri­ous and increas­ing.

The Soha Third Par­ty Advi­so­ry Group recent­ly con­duct­ed a sim­i­lar poll of more than 200 enter­prise IT and secu­ri­ty C-Lev­el exec­u­tives, direc­tors and man­agers from enter­prise-lev­el com­pa­nies. This advi­so­ry group is com­prised of experts from Aberdeen Group, Aka­mai, Assur­ant, Bright­Point Secu­ri­ty, CKure Con­sult­ing, Hunt Busi­ness Intel­li­gence, PwC and Symantec.

Breach­es hap­pen to oth­er people

What we found was trou­ble­some. Just 2 per­cent of respon­dents said they con­sid­ered third-par­ty access a top pri­or­i­ty in terms of IT ini­tia­tives and bud­get allo­ca­tion. It appears that the neg­a­tive news sto­ries about third-par­ty relat­ed breach­es — not just at Tar­get, but also at CVS, Amer­i­can Express, Exper­ian and else­where — has done lit­tle to moti­vate today’s IT per­son­nel. Remark­ably, 62 per­cent of respon­dents said they do not expect their orga­ni­za­tion to be the tar­get of a seri­ous breach due to third-par­ty access.

Inter­est­ing­ly, 56 per­cent acknowl­edged they had con­cerns about their abil­i­ty to con­trol and/or secure their own third-par­ty access. To be sure, the com­plex­i­ty of pro­vid­ing secure access to appli­ca­tions spread across many clouds or in mul­ti­ple data cen­ters, and to con­trac­tors and sup­pli­ers who do not work for you, using devices IT knows noth­ing about, is a major challenge.

Pro­vid­ing third-par­ty access is difficult

Many of the IT pro­fes­sion­als we polled acknowl­edged that pro­vid­ing third-par­ty access was a com­plex and tedious process. They report­ed that IT needs to touch five to 14 net­work and appli­ca­tion hard­ware and soft­ware com­po­nents to pro­vide third-par­ty access. This can include touch­ing sev­er­al types of sys­tems, such as VPNs, fire­walls, direc­to­ries, and more. The expec­ta­tion of more than 40 per­cent of the respon­dents is that this com­plex­i­ty won’t soon subside.

So what can, and should, com­pa­nies do? When eval­u­at­ing a secure third-par­ty access plat­form, it’s impor­tant the solu­tion be able to nav­i­gate and man­age a com­plex maze of peo­ple, process­es and tech­nolo­gies. The solu­tion should pro­vide a con­ve­nient, sim­ple and fast way to man­age the plat­form, poli­cies and security.

The divide between IT pri­or­i­ties and the need to mit­i­gate third-par­ty data breach­es affects all indus­tries. IT pro­fes­sion­als must rec­og­nize that the threat from third par­ties access­ing their infra­struc­ture is very real. The good news is that with the right access plat­form with the appro­pri­ate fea­ture sets, orga­ni­za­tions can sig­nif­i­cant­ly mit­i­gate their risk.

More sto­ries relat­ed to third-par­ty security:
Third-par­ty ven­dors are the weak links in cybersecurity
6 steps to stop hacks via a con­trac­tor or supplier
Trust­ed third par­ties can leave cracks in your cyber defenses