Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/2/2017
08:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Security Fails in Third-Party Hands

Your security may rest in the hands of a third party – and those hands will probably let you down.

Organizations traditionally focus on security within their own boundaries. Control and analysis are simpler to perform on resources they own. It's easy to understand that.

But organizations do not function by themselves. Far from it. They swim in an ecosystem that involves other businesses as their partners, providing resources or performing other business functions.

It's becoming obvious to businesses that these third parties can be a portal that threat actors use to compromise a company's sensitive information. The ways that their partners perform their own security can be as great a risk to a company as anything that the organization itself can do.

The Ponemon Institute recently published a report sponsored by the risk firm Opus entitled "Data Risk in the Third-Party Ecosystem" that addressed just how much of a problem third parties posed to a company.

Ponemon conducted the survey by talking with 625 individuals they thought would be familiar with the details of their organizations' third-party risk management posture.

They discovered that 56% of those responding had suffered a third-party data breach in the last year, which was a 7% increase over the previous year. While they could not directly point a finger at one cause, they think this could be because of a growing reliance on third parties and particularly cloud-based service suppliers.

But the response did point out an underlying problem: organizations don't know their supply chains in detail.

Importantly, 57% of Ponemon's respondents didn't have any inventory of the third parties with which they share sensitive data. They just flat out didn't know who had access to their important information. Not only that, they did not know if their suppliers' policies (what ever they were) would be effective in preventing a data breach.

Admitting there was a potential problem did not provide a path to solving it, however. A paltry 17% of those respondents felt they were highly effective at mitigating third-party risks. This is a 5% decrease from the 22% response that the first Ponemon report showed in 2016.

Worse, 60% said that they were unprepared to check or verify their third parties in any manner. While this was an improvement over the 66% that responded this way in 2016, it remains unacceptably large.

The problem gets worse with the farther away from the company a third party is in the supply chain. Only 18% of respondents say their companies know how their information is being accessed or processed by other parties with whom they have no direct relationship, but may have some relationship with a third party that they are using.

This situation will have to improve. If nothing else, the board of directors may force improvement. The study showed that 42% of respondents thought that their company's board of directors would require assurances that third-party risk is being assessed, managed and monitored.


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

Accountability for the third-party risk management was found to be dispersed throughout the organization, which greatly defuses focus and responsibility.

But there has been some small improvement over the last year. Ponemon found that 5% more respondents now have an owner of the third-party program compared to 2016.

The study shows that the time-bomb of third-party security relationships hangs over an organization. Realizing this as well as taking simple, direct measures to improve the situation is needed to prevent another business from taking yours down.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26088
PUBLISHED: 2020-09-24
A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
CVE-2020-6153
PUBLISHED: 2020-09-24
An exploitable SQL injection vulnerability exists in the FavoritesService.asmx Web Service functionality of eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053. A specially crafted SOAP web request can cause an SQL injection resulting in data compromise. An attacker can send an unauthenticated HTT...
CVE-2020-13521
PUBLISHED: 2020-09-24
Parameter psAttribute in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger this vulnerability.
CVE-2020-15840
PUBLISHED: 2020-09-24
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
CVE-2020-24365
PUBLISHED: 2020-09-24
An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated attacker to execute a command directly on the target machine. Commands are executed as the root user (uid 0). (Even if a login is required, most...