Seven in ten businesses may be particularly vulnerable to malicious attacks through failings in partner security, according to new research from Accenture.
Just 29% of business and IT executives globally know how diligently their partners are working regarding security, with 56% relying on trust alone.
This comes despite the fact that this tactic, known as ‘Island Hopping’, is steadily increasing — indirect attacks of this nature could account for nearly a quarter of the total value at risk from cybercrime over the next five years.
In country rankings, the UK is in the middle of the pack, meeting the global average of 29%.
In China and Japan, however, only 11% and 14% respectively felt that they knew whether their partners were working diligently to be cyber resilient. Amongst the highest were the US and Germany, at 35% and 30%.
6 things you should consider before selecting a security partner
Partner security must be addressed
The world is getting smaller by the day, and almost everything is connected in a global ecosystem.
Understanding different cultural approaches to partner security is crucial for companies with complex global supply chains. Hackers are increasingly adept at exploiting third-parties as a route into Fortune 500 companies, which can have hundreds if not thousands of partners each at any given time.
“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days of doing business in this medieval way are well and truly over,” said Nick Taylor, cyber security lead for Accenture UK.
“Now, business structures resemble something more like the London Underground, with thousands of entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organisations.”
Even industries with a more demanding regulatory landscape are struggling to keep track — 57% of respondents in the banking industry reported that they simply place their trust in their ecosystem partners.
“Organisations must learn to collaborate on security. This doesn’t just mean with other businesses, but also with governments. Some of the most devastating attacks we’ve seen in recent years have been state-sponsored, which will take a combined effort to combat,” Taylor continued.
“With this type of attack on the rise, organisations will surely start to get rid of their weakest links. For those who get it right, security could be a real competitive differentiator and a make or break in deals.”
Top security risks in digital transformation and how to overcome them
Technology such as cloud, internet of things (IoT) and automation are helping companies to digitally transform, but they also add security risks. What can firms do? And what are the top security risks in digital transformation? Read here
Dealing with partner security
Organisations should take several fundamental steps as a starting point:
• Collaborate with the community: 87% of executives recognise that they need to rethink their approach to security to defend not just themselves, but also their ecosystems. Netflix is among those leading the open-source security charge, sharing internally developed security tools with the world since 2014.
• Couple security with corporate strategy: Only 38% of businesses report including the chief information security officer when considering new business opportunities. GE, for example, have CISOs assigned to specific regions and business units to help inform decision-making at a more granular level.
• Think creatively about vulnerabilities: Businesses must learn to think like a hacker when threat modelling. A group of hackers made millions from insider information about publicly traded companies — not by attacking the companies themselves, but by targeting the newswire agencies that get early access to press releases from the world’s largest businesses.
• It’s not just a spring clean: Large enterprises have hundreds, if not thousands, of third-party partners going through various stages of on and off-boarding. Each has varying levels of network access. Organisations must create a process which allows them to continuously reassess where their vulnerabilities are.