Published: 13 December 2016
By Stephen Roberts
Managing where contractors can go when working on critical IT projects is always a hot topic and the risks today are greater than ever before. Successful attacks by third party providers and even partners in a supply chain have risen by 22% since 2015 according to PwC’s Global State of information Security Survey, and Soha Systems Survey on Third Party Risk Management notes that now 63% of all data breaches can be attributed to a third party. This is concerning why, because most large companies use third party specialists – they’re simply a part of doing business in today’s globalised environment and essential to accelerating growth, whatever an organisation’s size.
But companies are taking on more partners without continually assessing their third-party security risk profile. Because they do increase your vulnerability: IT security risks, regulatory compliance risks (those fines and potential prison sentences are only getting steeper), corruption, operational, health and safety, environmental, quality and reputational risks. Not to mention additional consequences like increased vulnerability to litigation and depressed market value and share price… Attacks on third parties can affect multiple companies but often the scope of the attack isn’t fully realised until it’s too late. Companies’ heavy reliance on outsourced business operations has reached a point where a single data breach can yield troves of data. Even if your security is sophisticated it doesn't mean theirs is.
Third parties are typically given extended access even though they are essentially new and untrusted suppliers. They also usually receive unlimited privileged access to company systems, often more than is needed to deliver a project and as a result, these 3rd party “outsiders” actually become “trusted insiders”, often more powerful than the authentic insiders of the home organisation. Privileged users with full access to systems or applications can access and peruse whatever they like. This could be giving the help desk domain admin rights to change passwords or test application functionality, for example. At best, an employee innocently wasting working time browsing the network, and at worst, an insider-driven breach that brings the business to its knees.
There are hundreds of ways into an organisation, but hackers will pursue privileged accounts to access and steal data. PwC found recently that 74% of companies don’t even have a complete inventory of their third parties handling customer & employee data and are unaware of who actually ‘owns’ the relationship, and probably that they’re over-sharing data.
Perhaps more worryingly, a recent Ponemon Institute study found that over a third of companies don’t believe their third parties would tell them about a data breach. That’s not to say that every third party will be hiding malicious hackers, but these relationships can span decades. Booz Allen Hamilton recently reported that most third-party incidents occur in an existing relationship; we’re talking about a constantly evolving environment – certain risks might be assessed during the on-boarding process but then it’s out of sight and out of mind, and later contracts might not reflect developments and trends that have appeared since. Low risk can easily become high risk over time, and the disconnect in security across all industries results in a breakdown of trust and communication.
Attacks and mistakes do happen but consequences are now extremely costly. Third party relationships can be complex and span countries with different regulations and laws, but regulators are cracking down harder than ever on third-party risks - if a third party is targeted and falls victim, it’s your customer data that’s in jeopardy and your company, job, brand reputation and CEO/CIO on the line. Businesses need to change the way they view security and start future-proofing their businesses – information security is no longer just an internal IT effort; it now needs to be considered throughout a company's whole business network.
At Osirium we’ve created the tight controls to bring the right access to the right systems required by third parties to deliver projects without risk across a bourgeoning infrastructure. As the UK’s Privileged Access Management innovator, Osirium includes robust features including Third Party Access which offers a central point of control for all 3rd party access into hybrid-cloud infrastructures that contains typically many different technologies.
To find out more about how Osirium can help control the misuse of privileged accounts, visit www.osirium.com.