Consumer Confidence in Data Security Plummets
Organizations’ increasing use of contractors, freelancers and other third-party workers is weakening consumers’ trust in their data security, according to a study by SecZetta.
The survey of more than 2,000 U.S. adults revealed 83% of respondents agree that those data systems have become more vulnerable to cyberattacks and nearly nine in 10 survey respondents said organizations and government entities must have better data security systems in place to protect them from the increase in third-party remote attacks.
The results come as recent high-profile breaches, including those on SolarWinds, Colonial Pipeline, and JBS have exposed how vulnerable organizations are to cybercrime and ransomware attacks in particular.
Howard Ting, CEO at Cyberhaven, explained that trusted third parties introduce both internal and external risks, as these third parties may have weaker security that provides a softer initial target for an attacker.
“There are countless examples in the wild in which a trusted partner or contractor was the initial vector into an organization,” he said. “Third parties also bring insider risks where a partner or contractor may accidentally or maliciously expose sensitive data.”
He pointed out that recent ransomware attackers have even actively recruited company and third-party insiders as a way to gain access to a network.
All Workers are Security Risks
“Ultimately, all users and systems with privileges in the enterprise are part of an organization’s attack surface whether they are full-time or third-party employees or partners,” Ting said. “This same issue of risk extends to any partner or service that has access to an organization’s sensitive data.”
Ting noted these same risks apply to SaaS applications and other cloud-based services that an organization does business with.
“Anyone with access and privileges in an organization should meet the same security standards and conform to the same policies whether they are a traditional employee or a partner, contractor or freelancer,” he said.
Rebuilding Consumer Trust
To rebuild consumer trust, SecZetta survey respondents said organizations must invest in advanced technology systems that help proactively reduce their risk of third-party-perpetrated cyberattacks.
More than three-quarters (78%) of U.S. adults said they believe it’s easy for cybercriminals to breach an organization and 73% said they believe most organizations today lack good controls over who has access to their computer systems and/or data.
Slightly more than half (52%) of U.S. adults feel confident in consumer-facing industries–among them financial services and retail—with men being slightly more confident than women (55% versus 48%, respectively).
When asked which areas of their personal lives they feel are most vulnerable to a cyberattack, close to half of the respondents (42%) cited the potential for personal financial impact from a cyberattack on an organization with which they have a relationship.
Lose the Legacy Security
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, also pointed out that the increased risk from contractors and third-party suppliers means organizations must change and modernize their security strategy so they are no longer dependent on legacy security controls.
“Organizations who focus on traditional security controls, such as perimeter and endpoint security, are not effective against contractors or third-party suppliers as they typically do not control the devices they use,” he said.
Without a modern security approach, organizations are very much dependent on strong passwords protecting them from cyberattacks, Carson said. It’s increasingly common for cybercriminals to easily abuse organizations that rely almost solely on users creating strong passwords, he added.
“This means to be able to control security and reduce risks, organizations must adapt to an identity security approach, which is something they can still control,” he said.
Ting noted there are a variety of things that organizations should consider, including least-privilege access principles, data monitoring and analysis and stricter data controls, among other practices.
“Any partners should have their access strictly limited to only the systems or data required for their roles,” he said. “Any access or privileges should be quickly removed at the end of a project, and the organization should be able to audit to find users who still have unneeded access.”
The organization should also include monitoring and analysis to detect any misuse or improper handling of sensitive data after access has been granted.
“Additionally, the organization’s data should always remain under its control and it should implement security controls to prevent data from leaving the enterprise environment; for example, preventing a contractor from moving data to a third-party cloud or network,” he said.
Carson stated that, in today’s environment, identities are the new perimeter and privileged access is the new security.
“A strong identity and access management strategy will help organizations reduce the risks from continued increased use of third parties,” he said. “Organizations must help move passwords into the background and reward their employees, contractors and third-party suppliers with strong privileged access security controls.”
