Business partners greatest security threat
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Crime rings are approaching business partners, including call centres and support agencies, to steal data from organisations.
External threats from partner organisations pose the greatest risk to corporate data security, according to a report detailing 500 forensic data investigations by Verizon Business.
The Verizon report analysed hundreds of corporate data breaches, including three of the five largest ever reported, and found that while insider threats were the most devastating in terms of impact, the higher number of data breaches attributable to partners made them a greater risk factor.
While external (outside the organisation) attacks were much more common, possibly because “90% of known vulnerabilities exploited had patches available for at least six months prior to the breach”, the relative damage of these attacks was found to be much lower.
“Business partners were involved in 39% of the data breaches handled by our investigators,” the report stated.
“In a scenario witnessed repeatedly, a remote vendor’s details were compromised, allowing an external attacker to gain high levels of access to the victim’s systems.”
A typical case of a partner security breach, explained Verizon Business’s director of investigative response, Bryan Sartin, involves a crime ring approaching employees in call centres or support positions “and saying ‘if you hate your job or your boss, I’m your solution’”.
It is a hard system to crack and fairly safe for crime rings because “the person behind it is a pawn”. And despite being controllable through good access control on behalf of the outsourcing business, “a good nine out of 10 victims of partial insider security breaches believe they have controls on the partial insider connection. Sometimes they don’t even know where their data is located,” he says.
“In 70% of cases it’s a third party that notifies the business, usually banks, law-enforcement or customers. The business is usually shocked when it finds out. Often we don’t even need specialist forensic tools because the answers are in the logs in black and white.”
Surprisingly, the retail and food and beverage industries accounted for over half of the investigation conducted. Financial firms accounted for 14% of investigations, while technology services, including software companies, data warehousing firms and telecom companies, made up 13% of cases.
Sartin says criminals are turning to ‘softer’ targets as financial organisations become more secure, choosing “the path of least resistance”.
Restaurant cases are becoming increasingly common, he warns.
“If two out of three customers complaining of fraud attended the restaurant in the third week of December, we go in and ask the owner if someone stole the bowl of business cards left on the counter. They often say, ‘How did you know that?’,” he explains, adding that matching card numbers to business cards allows a fraudster to develop a valuable picture of a victim’s identity.
“You’d expect attacks to be getting more sophisticated,” adds Verizon’s manager principal of forensics Matthijs van der Wel, “but from a criminal perspective it’s easier to go for the weakest link.”
The report comes as stockbroker Merchant Securities was fined £77,000 by the Financial Services Authority for using “weak data security controls” to protect customer information – including chatting to them about holidays and hobbies to identify customers over the phone.
Further reading
IT security is a futile pursuit, says IBM There is no future in the security business, says new head of IBM Internet Security Systems
Cyber-assault The threat to the UK’s critical IT infrastructure from cyber-terrorists and activists is growing
Find more stories in the
Security & Continuity Briefing Room
