Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Financial Firms Scrutinize Third-Party Supplier Risk

But executives aren't confident in the accuracy of cybersecurity assessment data received from their vendors, a new study shows.

Financial services executives and managers responsible for the corporate checkbook would rather forgo business with a partner that is not serious about cybersecurity than run the risk of a breach, a new report found.

Some 97% consider cyber risk to be an important or critical issue, and 78% of those surveyed would refuse a partnership with a company that had poor cybersecurity performance, according to a new survey of 129 financial service professionals by security-rating firms BitSight and the Center for Financial Professionals.

"These results not only talk to the importance of having a strong third-party risk management program in place, but - when you think about the implication that they have for a company doing business with financial firms - now you have to demonstrate strong cybersecurity performance or you might lose business," said Jake Olcott, vice president of government affairs for BitSight.

Suppliers and supply chains have become the latest focus of companies trying to reduce their cyber risk. In 2018, a survey by the Ponemon Institute found that nearly 60% of organization had a data breach caused by a third party, but that only 34% of companies had created an inventory of all their suppliers. 

The most recent high-profile attack on a third-party supplier — the breach of remote work enabler Citrix — underscores the danger. The company announced in early March that the FBI had notified the firm that attackers had downloaded business documents from its internal network.

About half of all attacks involve jumping from one corporate network to another, a technique dubbed "island hopping," according to a recent report.

"Supply chains are easy and lucrative targets," Mike Bittner, digital security and operations manager at The Media Trust, a website security firm, said in a statement. "In today's digital environment, they are extremely complex and dynamic, they lie outside the perimeter of the IT infrastructure, and they are, therefore, hard monitor."

For the most part, company executives believe — whether correctly or not — that they have a handle on the situation. More than 80% of respondents indicate that their executive management is "confident in their approach to measuring and managing third-party risk," according to the BitSight/CeFPro survey. Yet, only 44% of boards had regular reports on their third-party risk.

The Attestation Situation

Among the greatest challenges facing companies are a lack of faith in the accuracy of cybersecurity assessment data received from vendors, as well as the timeliness of that data, the survey found.

Part of the problem is that companies often continue to manually poll their vendors, asking the firms to attest to certain security measures without conducting any sort of assessment. Such attestation requires a great deal of time on the part of both companies, resulting in a great deal of paperwork.

Yet, ask a supplier whether such attestation is effective, and most will say no, BitSight's Olcott says.

"It is definitely inefficient and most people think it is ineffective," he says. "I think what we will see in the real world is that being replaced by real-time, automated and continuous data collection."

Automation and continuous data collection are already growing popular in another area of third-party risk: The management of open-source components used in software development. Companies such as Sonatype, WhiteSource, and Snyk are using a variety of scanning to take stock of the third-party libraries being used by developers.

The adoption of such technologies is a direct result of increasing pressure on software vendors to reduce the number of vulnerabilities in their products and online services. With enterprises increasingly focusing on their third-party cyber risk, software vendors won't be the only suppliers under pressure to up their security game, Olcott says.

"Companies are increasingly trying to compete, not only on price and performance, but also on security," he says. "This issue is becoming much more critical."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Greater Focus on Privacy Pays Off for Firms
Robert Lemos, Contributing Writer,  1/27/2020
Average Ransomware Payments More Than Doubled in Q4 2019
Jai Vijayan, Contributing Writer,  1/27/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Physical Security Privilege Escalation
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3215
PUBLISHED: 2020-01-29
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
CVE-2019-18634
PUBLISHED: 2020-01-29
In Sudo through 1.8.29, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist onl...
CVE-2013-2568
PUBLISHED: 2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.
CVE-2013-2569
PUBLISHED: 2020-01-29
A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream.
CVE-2013-2570
PUBLISHED: 2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code.