Companies are putting increasing trust and dependence on third-party vendors, often with access to their IT systems. But new research finds that third-party vendors can be a significant security risk if their access to IT systems are not managed and monitored correctly.
Although security experts are often warning companies of the potential threats from privileged insiders, some of the most devasating breaches in the past few years have originated from the security weaknesses of third parties.
In 2013, US retailer Target fell victim to an enormous breach which exposed over the credit and debit card accounts of over 40 million of its customers. The incident began with the stealing of network credentials from a third-party HVAC vendor, and resulted in the firing of its CEO.
The new research study, conducted by security firm Bomgar, found that 81% of companies admitted that high profile data breaches in the media have increased their awareness of the need for better third-party vendor controls.
Yet despite the horror stories, only a third (35%) of companies are confident they know the exact number of vendors accessing their IT systems.
On average, a whopping 89 third-party vendors access a typical company’s network each week, and that number is likely to grow. Three quarters (75%) of those polled stated the number of third-party vendors used by their organisation has increased in the last two years, and 71% believe the numbers will continue to increase in the next two years.
The report uncovered a high level of trust in third-party vendors, but a low level of visibility of vendor access to IT systems: 92% of respondents say they trust vendors completely or most of the time, although as many as two-thirds (67%) admit they tend to trust vendors too much.
Astonishingly, only 34% knew the number of log-ins to their network attributed to third-party vendors, and 69% admitted they had definitely or possibly suffered a security breach resulting from vendor access in the past year.
'Third-party vendors play a vital and growing role in supporting organisations’ systems, applications, and devices. However, they also represent a complex network that many organisations are struggling to appraise and manage correctly,' said Matt Dircks, CEO of Bomgar.
> See also: The six steps to third-party compliance heaven
'This combination of dependence, trust, and lack of control has created the ‘perfect storm’ for security breaches across companies of all sizes. If a hacker can compromise and pose as a legitimate vendor, they may have unfettered access to networks for weeks or even months; plenty of time to steal sensitive data or shut down critical systems.'
So what can companies do to protect themselves against potential third-party security risks?
Dircks said it's important to audit yourself and your vendors thoroughly and do so on a regular basis.
'There’s clearly a gap in many organisations’ ability to limit their exposure to cyber-attacks that stem from hackers piggy backing on third-party vendor access,' he added added. 'Without the ability to granularly control access and establish an audit trail of who is doing what on your network, you cannot protect yourself from third-party vulnerabilities.'