Embed Size (px)
Citation preview
V E N D O R V U L N E R A B I L I T Y :H O W T O P R E V E N T T H E S E C U R I T Y R I S K O F T H I R D - P A R T Y S U P P L I E R S
Between November and December 2013, the U.S. retailer Target was the subject of one of the largest data breaches in history. Hackers introduced malware to the card reading systems in nearly 1,800 Target stores during the busiest retail season of the year. They
captured the credit and debit card information of approximately 40 million customers.
How did the hackers manage to compromise such a large system and get away with so much valuable data? The answer lies with Fazio Mechanical Services (FSM), a heating, ventilation and air conditioning (HVAC) contractor in Pittsburgh. FSM provided electronic billing
services, contract submissions and project management services to some Target stores and had access to its network. The hackers stole FSM’s credentials and used them to gain access to Target’s systems.
The Target breach powerfully illustrates how businesses in any industry are potentially at risk from the third parties with which they work. Without a robust solution for managing, controlling, or monitoring a vendor’s access to its network, Target effectively left the back door open for hackers to walk in.
But since 2013, how much has really been done to tackle the issue of vendor access management? Is it something for which
businesses are actively considering and deploying solutions? Or has it slipped from people’s minds, leaving businesses and their sensitive data at extreme risk?
To find out, we surveyed hundreds of IT and Security decision makers who have oversight of third-party access to their organization’s network. We found that, while vendor access
management is something that most are aware of, few have pursued the solutions that would guarantee the safety of their sensitive business data from possible third-party breaches. And, with the number of third-party vendors a business engages set to rise dramatically over the next few years, time is running out to safeguard against this very real threat.
69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year.
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers2
RESEARCH METHODOLOGY 608
key decision makers with visibility over the processes associated with enabling any external parties to connect to their systems remotely completed a survey during February 2016. Those surveyed were all IT professionals across Operations, IT Support/Helpdesk, IT Security or Network/General IT roles. Respondents
were from a multitude of industries, including Professional Services, Finance, Manufacturing, Healthcare, Retail and the Public Sector. The survey was conducted across the United Kingdom, the United States, Germany and France.
The discussion around vendor vulnerability is extremely relevant when one considers the vast network of third-party suppliers most organizations possess. Respondents to our survey reported that, on average, 89 vendors are accessing their company’s network every single week. Respondents reported that 45% of third-party vendors who have access to their internal networks logged in within the past year.
I: THE IMPORTANCE OF THIRD PARTIES AND VENDORS
TO ORGANIZATIONS
F I G 1 . C H A N G E I N N U M B E R O F T H I R D
P A R T I E S O V E R T H E L A S T 2 Y E A R S
44%Increased by
up to 20%
23%Stayed the same
2%Decreased
31%Increased by
more than 20%
Vendors and third-party suppliers are clearly vital to organizations. They are part of the ecosystem in which modern businesses must operate, and this ecosystem will only grow in scale and importance. Nearly three quarters (71%) of respondents are expecting their companies to become more reliant on third parties in the next two years.
But as the complex network of suppliers and third-party vendors within your organization grows, so too does the risk. Without proper policies for the control and management of vendor access to your network, thereis a security threat to not just your business, but toyour employees and customers. fig 1
On average, 89 vendors are accessing a company’s network every single week.
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers5
II: THE IMMEDIATE RISKS AND CONCERNS FOR VENDOR
VULNERABILITY
It’s not that organizations don’t understand these risks. Amongst those surveyed, there was a general awareness of the threats posed by ineffective management and poor visibility of vendor access. But it was clear from our respondents that not enough is being done to address the risks and concerns around vendor vulnerability.
� H I G H L E V E L S O F ( U N W A R R A N T E D )T R U S T I N T H I R D - P A R T Y V E N D O R S
Many are placing too much trust in the vendors they work with. An astonishing 92% of respondents say they trust vendors completely or most of the time. But there is a growing realization that, when grantinga vendor access to your network, this decision needs to be based on more than just blind faith. More than two-thirds (67%) of respondents believe that they tend to trust vendors too much.
Organizations need robust controls and checks to mitigate the security risk of vendors. Do you know what technology and tools third-parties are using to access your networks? Can you see when they’re accessing your systems and what they’re doing? Are your vendors sharing simple passwords among employees or employing security best practices, such as multifactor authentication and credential rotation? In the current climate, it is no longer enough to simply trust that a vendor has the security policies in place to defend against threats. fig 2
� N O N - S T R A T I F I E D A C C E S S T O T H E N E T W O R K
Just under half (44%) of those surveyed reported an ON/OFF approach to vendor access, rather than employing varying levels of access for different vendors. This equates to roughly every other company simply welcoming vendors into their entire network or shutting them out completely.
This is a wildly risky approach. Most vendors do not need access to the entirety of your network and vendors should only been given access to specific systems or applications based upon the services they provide to your organization. This should be supplemented with bespoke logins, company credential policies and secure remote access tools.
With so many vendors accessing an organization’s network on a weekly and annual basis, it is absolutely imperative to have visibility of which vendors are logging in and when. But when pressed on this matter, only 35% of respondents are very confident in knowing the actual number of vendors accessing their systems, and just 34% knowthe number of individual log-ins that can beattributed to vendors.
Perhaps most shockingly, 69% say they definitely or possibly suffered a security breach resulting from vendor access within the last year. The fact that many
organizations cannot even determine for certain if abreach was the result of vendor access is a sobering thought, and proof that visibility is a key issue whenit comes to vendor vulnerability.
These numbers reveal a huge gap in many organizations’ ability to limit their exposure to security breaches. Without the ability to establish an audit trail of exactly which vendors have been accessing your network, you cannotbe sure if one of their accounts has been compromised.In the event a breach does occur, your business will haveto shoulder all responsibility for the security failure. fig 3
F I G 2 . T R U S T I N T H I R D P A R T Y V E N D O R S
59%Most of the time
7%Some ofthe time 1%
Not at all
33%Completely
F I G 3 . C Y B E R B R E A C H E S R E S U L T I N G
F R O M T H I R D P A R T Y V E N D O R A C C E S S
34%Yes, probably
28%No
3%Don’t know
/ no idea
35%Yes, defi nitely
SO WHAT MAKES A COMPANY VENDOR VULNERABLE?
� L A C K O F V I S I B I L I T Y O F V E N D O R A C C E S S T O N E T W O R K
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers7
F I G 5 . E X T E N T O F S E C U R I T Y P O L I C I E S
C O V E R I N G 3 R D P A R T Y A C C E S S
39%Our policy covers this, but we don’t enforce it
all the time
51%Our policy
covers this and we consistently
enforce this
2%Don’t know
8%Our policy
doesn’t cover this
F I G 4 . L A S T T I M E T H I R D P A R T Y V E N D O R A C C E S S R E V I E W E D
More than 3 years
ago
3 years ago
2 years ago
1 year ago
Within the last
year
Don’t know / no
idea
9%
16%
30%
23%20%
1%
Two thirds of respondents reported that they find it difficult to keep on top of the changing security threats to their company. This is reflected in the fact that more than half (55%) of those surveyed have not reviewed their policy around third-party access in the last two years. Just 51% said they enforce policies around third-party access.
It can feel like a fool’s errand to keep your vendor access
policy up-to-date with every emerging security risk.These things change daily, sometimes hourly. But the reality is that an up-to-date policy on third-party access is essential to protect your business. More importantly, every policy put into place should have a corresponding enforcement strategy and tools that make enforcing evolving policies simple and effective. fig 4
� O U T O F D A T E P O L I C Y A N D E N F O R C E M E N T A R O U N D T H I R D - P A R T Y A C C E S S
More than half (56%) of respondents think that threats around vendor access are not taken seriously enough in their organization. Indeed, nearly three quarters (74%) believe that third-party vendor selection overlooks key risks, with 64% saying that their organization focusesmore on cost than security when outsourcing.
This is a difficult issue to negotiate, as it is as much about
effecting cultural change within the business, as it is about providing a solution for vendor access management. But if cost is such a concern for the powers that be, then perhaps it bears mentioning that the Target breach reportedly cost the company $252 million. The cost of not taking the threat seriously will be far greater than the cost of preventing third-party security risks in the first place. fig 5
� S E C U R I T Y N O T B E I N G T H E K E Y C O N C E R N I N V E N D O R S E L E C T I O N
74% believe that third-party vendor selection overlooks key risks, with 64% saying that their organization focuses more on cost than security when outsourcing.
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers8
It is clear from the research that vendor vulnerability is a significant risk to any organization that engages with a third-party supplier and allows them access to their network. But time
is running out for businesses to find a solution. Greater risks are on the horizon.
III: THE FUTURE THREATS AND CONCERNS
IT managers, CIOs and CSOs know what is needed to reduce the risk. More than half (55%) think their business will be better protected if they have a policy where vendor access is stratified according to perceived levels of risk. Nearly eight in ten people (78%) believe third-party vendor breaches can only be effectively reduced through access control measures at a people, process, and technology level. And there is a general consensus that higher quality controls throughout the vendor lifecycle (57%), efficiency in the management and monitoring of vendors (52%) and effective monitoring of third-party vendor risks (52%) will be key considerations in safeguarding against vendor data breaches.
All that remains is to translate awareness into action.
As an organization’s network of vendors and third-party suppliers grows, so does the risk of a potential breach. Vendors will increasingly engage third-party suppliers of their own to carry out work on your organization’s behalf. However, 72% of respondents see this “fourth party risk” as a major concern for the future. It is hard enough to manage
network access for the vendors you know about, let alone the ones that you don’t. The growing complexity of vendor networks presents significant challenges in this regard.
Another key concern is that the devices that connect to your networks will exponentially increase in the coming years. Nearly three quarters (74%) of those surveyed are
worried about breaches originating from connected devices over the next year. This does not just include smartphones and other mobile devices. With the Internet of Things and the proliferation of internet-enabled peripherals, the number of entry points through which an attack could occur will grow significantly. fig 7
Respondents in our survey are nervous about future security breaches. More than three quarters (77%) believe their company will experience a serious information breach
within the next two years as a result of vendor activityon their networks. Worryingly, 64% of those surveyedfear that this will happen within the next year. fig 6
77% believe their company will experience a serious information breach within the next two years as a result of vendor activity on their networks.
F I G 7 . K E Y C O N S I D E R A T I O N S I N P R O T E C T I N G
A G A I N S T S E C U R I T Y B R E A C H E S
Higher quality / tighter controls throughout third-party vendor lifecycle
Speed / effi ciency in the management& monitoring of vendors
Eff ective monitoring of third party vendor risks
Consistency in how third party vendor access is managed
Reduced cost & time of managing third party vendor risk
Improved regulatory compliance
57%54%52%
42%37%
19%
Already happened
F I G 6 . T I M E F R A M E U N T I L A S E R I O U S
I N F O R M A T I O N B R E A C H O C C U R S
Less than 6 months
6 months - 1 year
1 - 2 years Longer than 2 years
11%
24%29%
14%
6%
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers10
The good news is that all hope is not lost for organizations, as there are solutions available that will help them manage vendor access to their networks. Many of these solutions enable security professionals to control, monitor, and manage privileged access to critical systems by authorized employers, contractors and third-party vendors.
There is little time to waste, however, and when investigating a Privileged Access Management solution, you should ensure that it has the following capabilities:
IV: THE SOLUTION TO VENDOR VULNERABILITY:
PRIVILEGED ACCESS MANAGEMENT
1The ability to account for all vendors with access to
systems, the data or applications to which they have access, and why they need it. This information should be regularly reviewed to determine whether vendors still require that level of access.
3The ability to identify when a vendor’s access may have been
compromised and revoke or reduce network access to specific vendors immediately.
2The ability to stratify access to individual vendors (even
individuals within the vendor’s organization) so they can log into only the applications or systems necessary for their role.
4The ability to enforce processes around who within
your organization can grant third-party vendor access to your systems.
5The ability to control and monitor additional vendors
who may be accessing your systems, such as fourth party subcontractors.
Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers11
Bomgar is the leader in Secure Access solutions that allow organizations to connect fearlessly to people and technology around the world. Bomgar provides leading remote support and privileged access management solutions that strengthen security while increasing productivity. Bomgar solutions help support
and security professionals improve business performance by enabling secure, controlled access to nearly any device or system, anywhere in the world. More than 10,000 organizations across 80 countries use Bomgar to deliver superior support services and manage access to valuable data and systems.
ABOUT US
To find out how Bomgar’s Secure Access solutions can help your business operate more
securely, please visit www.bomgar.com
