I’ve been reading a book about the Russian infiltration into our election system. One of the early chapters talks about the hacking into the Democratic National Committee network. What jumped out at me was that while the DNC takes the hit for not being prepared, there were actually glaring failures with a third-party contractor. The company handled IT for the DNC, but it did not have a security professional who could address the breach when the FBI called and the person in charge didn’t bother to relay this information to his client until it was way too late in the game. Although the book’s authors didn’t mention this, I’d be willing to bet that the DNC leadership responsible for hiring this IT contractor never bothered to discuss cybersecurity or even know what tools and procedures the company had in place in case there was a security incident.
The DNC isn’t alone. According to a Ponemon Institute study, a majority of organizations lack visibility into their vendors’ security policies and don’t know if these policies would help prevent a breach. At the same time, very few companies – only 17 percent – believe they are effective at mitigating third-party risks.
This inadequate visibility into third-party security policies and procedures, not surprisingly, increases risks. A study from Deloitte found that while 53 percent of companies say they have significant dependence on third parties, they struggle with this business ecosystem, as “seven out of ten respondents believe that business and macro-economic uncertainties have increased the risks inherent in managing the extended enterprise.”
These risks include insecure access controls, poor system configurations, and (as the DNC experienced) a lack of recovery planning and being slow to report security incidents. As Dan O'Sullivan, an analyst with UpGuard, told Dark Reading:
Third-party vendor risk is the unseen threat for enterprises dealing with cyber-risk. Like a rip in the back of a jacket, the fact that risks taken on by third-party vendors are not visible does not mean they do not expose you to the world.
As I’ve mentioned before, if your third party is the victim of a security incident that affects you, it is your company that will take the fall. How many of us remember the name of the company that essentially caused the Target breach, for example? And how many other companies does that third party work with? The more we understand the ecosystem built around third parties and insist on visibility into their security policies, the better we’ll become at eliminating third-party risks.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba