Enterprises Misplace Trust in Partners, Suppliers

In an era when many organizations are focused on building zero-trust access control architectures, many are paradoxically extending considerable trust to the third parties they enable to access their systems remotely. And that trust is placing them at significantly increased risk of successful attacks against their business technology systems.

According to a survey conducted by Ponemon Institute on behalf of SecureLink, this lack of will to effectively assess third-party remote risk exposes networks to compromise. This would also explain why the survey found that, of the 44% of respondents who were breached within the past year, 74% said the breaches could be traced back to access they provided to those third parties.

Interestingly, the survey found that while many organizations view third-party remote access as a security risk, many don’t bother to prioritize mitigating that risk. Fifty-one percent of organizations say that they do not assess all of their third-party partners’ security and privacy practices before granting them access to sensitive and confidential information.

Notably, the survey found a sizable 63% of respondents said they rely on the reputation of these partners and suppliers, rather than evaluating their practices.

Reliance on reputation is the most common reason that organizations are not evaluating the privacy and security practices of third parties, according to 63% of respondents. Further, 61% of respondents say their third-party management program does not define or rank these levels of risk.

The survey also found that 54% of organizations may not even know, at any given time, what third parties were granted access to their systems, while an additional 65% of organizations have not identified the third parties with access to the most sensitive data of the organization.

This certainly leaves organizations blind, especially if they are not aware of the levels of permissions these third parties are given. While nearly 60% of organizations say they don’t have centralized management control over the partners and suppliers to which they grant access, roughly half of those respondents blame it on the complexity of such relationships.

Complex or not, it is imperative enterprises get a better handle on their third-party access — especially for the more than half of organizations that said they are not monitoring the security of those parties with whom they regularly share sensitive or confidential information.

In one of the more recent studies of third-party breaches, security firm Risk Based Security found third-party breaches rose from 328 in 2018 to 368 in 2019; the number of impacted records rose from 1.7 billion in 2018 to 4.8 billion in 2019. According to their analysis, the average exposure of records per third-party breach is 13 million.

Consider the breach that struck General Electric in early 2020. That breach came through their provider, Canon Business Process Services, via the compromise of the email account of one of their employees. That breach, according to reports, exposed the sensitive information of more than 280,000 GE employees. Exposed data included Social Security and driver’s license numbers, bank accounts, passport information and other private employee information that GE employees had shared with Canon Business Process Services throughout their employment.

Such breaches are not uncommon; the 2013 Target breach, which affected roughly 41 million customers, was attributed to the breach of an HVAC supplier. Enterprises need to start taking the security of their suppliers more seriously. They need to inventory those who have access to their systems and those that share sensitive information and monitor everything from their partners’ and suppliers’ security and privacy policies to their ability to enforce such policies to how they will notify affected organizations should a breach occur.

The Ponemon Institute study is based on responses from 627 respondents involved in their organization’s management of remote third-party data risks. The respondents are based in North America and work within financial services, health and pharma, the public sector, services and industrial and manufacturing.