Third-party security is continuously lacking, yet few leaders show concern or take action

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2458048/security-leadership/insecure-connections-enterprises-hacked-after-neglecting-third-party-risks.html

It is said that an enterprise is only as secure as its weakest link. Today,
that weak link often turns out to be partners, suppliers, and others with
persistent network and application access.

These weak links have certainly placed third-party security into the
spotlight. As we’ve seen this year, multiple breaches have been the direct
result of security lapses at partners and third-party suppliers or vendors.
Most notably, the Target breach was reportedly the result of a compromised
contractor. While Target Corp. was the most visible, it certainly wasn’t
the only breach this year involving the IT supply chain.


This spring, business research firm Deltek warned customers that it had
faced a breach where the attacker gained access login credentials
including, perhaps, the credit card information of 25,000 users. Also this
spring, Houston-based offshore contract driller Rowan Companies reported
that they detected that their systems were breached and that that breach
affected information not only about its employees, but also vendors and
contractors.

And so it goes, over and over – enterprise data is placed at significant
risk through the security slips of trusted partners.



Yet, concern for third-party security dips

You wouldn’t think there was much to these third-party security risks when
looking at the data within our 2014 U.S. State of Cybercrime Survey, which
found third-party security slipping. The U.S. State of Cybercrime Survey is
an annual survey by CSO Magazinewith help from the U.S. Secret Service, the
Software Engineering Institute at Carnegie Mellon University, and PwC. This
survey is based on 500 US executives, security experts, and others from the
private and public sectors.

The survey found fewer organizations -- 44 percent this year compared to 54
percent last year -- are bothering to put in the effort to vet the security
of third party providers and others in their IT supply chain.


Interestingly, despite the steady news of third-party security breaches,
roughly 70 percent of enterprises enter into contracts with external
vendors without having conducted any security checks. Even supply-chain
partners are not secured. A startling 92 percent of enterprises don’t have
any supply chain risk management abilities in place. “Indeed, criminals
have found that third-party partners may provide relatively easy access to
confidential data. It’s an indirect path to criminal profit that is
increasingly successful because most organizations make no effort to assess
the cybersecurity practices of their partners and supply chains,” the
report concluded.

That will only grow increasingly true as more data and more systems are
connected. Jay Jacobs, vice president at the Society of Information Risk
Analysts would agree. “What we are seeing speaks to the weakest link in the
security chain,” says Jacobs. “The attackers don't have to attack anyone
directly. Many times they really aren't even targeting any specific victim,
they’re targeting any organization with anything of value. And when they
find a weakness they will exploit it in an opportunistic way, and that can
easily include attacking partners."

An ounce of due-diligence goes far

Not all enterprises can afford to be so nonchalant when it comes to
third-party risks, especially those that work in heavily regulated
industries such as healthcare, payment processing, financial services, and
others.

“You absolutely have to look at the security of your third party partners,”
says Eric Cowperthwaite, former system director, enterprise security risk
management and CISO at Providence Health and Services. “You don’t have to
look at everyone at first, but you have to at least start with looking at
those partners who could create the most risk for your organization.


“When trying to determine whether they were a high or a low risk, one of
the primary tools we used was a really simple questionnaire that asked a
set of questions that we thought were important things that would indicate
a mature program was in place, such as having a designated security
officer, a corporate security policy. Did they install antivirus on their
computers?” says Cowperthwaite. Should the vendor fail any of those
questions, then they’d earn themselves a much more thorough vetting, he
explains.

Beyond questionnaires, the next step CISOs can take is to implement
security controls to ensure more secure access to protected systems: does
the vendor employ strong, two-factor authentication, do they monitor and
log user activity, and encrypt their network traffic.

PCI DSS sets sights on third-party risks

The Payment Card Industry Data Security Council is taking steps to bolster
third-party security. In the most recent version of the PCI Data Security
Standard (PCI DSS), new requirements were added that aim to reduce
third-party payment card risks from outsourced providers, including having
security requirements detailed in contractual agreements between businesses
that accept credit card payments that rely on outsourced payment processing.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!