A large number of security risks are caused by third party vendors.
As we saw with the recent Debenhams Flowers cyber-attack, using a third party company or service provider can leave your network vulnerable to security breaches. Whilst your company could have top of the line security measures put in place, the company that handles your packaging and shipping, or the company who processes customer purchases, may have weak to non-existent security measures.
This is a clear risk.
Chief scientist at security provider Agari, Markus Jakobsson, says:
“…not only does each vendor create a new entry point into an organization’s network for cyber criminals to exploit, but it also means every employee for that vendor is now a potential target to breach your brand. Unfortunately, the only way to ensure your company is not exposed to greater risks is by keeping everything in-house. But in today’s digital world, this isn’t a reality.”
Lacking in resources
Companies who don’t have the resources to conduct certain activities in-house might out-source them to another third party provider who already have the necessary equipment to complete the tasks. However, in this digitally centred world, in order for a vendor to carry out their work, they often need access to the company’s servers.
As an example, a vendor like DHL (courier service) may need access to a company’s customer database to see which address they are delivering certain goods to. However, once the vendor is allowed access to the server, it may potentially leave the company vulnerable to attacks. If you have a building on lockdown but provide a key to a third party to get in through a side door, how do you know they’ve locked the door behind them?
Third parties need to ramp up security
Third parties are used by a large majority of companies, but their security risks are not always properly scrutinised. In trusting vendors with data that could compromise the company itself, as well as their consumers’ sensitive data, companies need to ensure their vendors can handle the data securely. Whilst companies may not be the ones in control over their vendors’ security measures, they cannot simply shirk all the blame if a breach happens. As with the Debenhams data breach, customers looked to Debenhams to take responsibility for the attack; not the vendor.
Some security experts say companies have a responsibility to properly vet their vendors to ensure their security is on par. From then on, companies should regularly check to ensure their security is still intact. Others say companies must assume their vendors have already been breached, and a high tech detection and response system needs to be in place to stop a breach from affecting the companies.
Companies should ensure third parties are protected
Soha Systems, innovator of Enterprise Secure Access, found that 63% of all data breaches on a company’s server came from attacking a third party. Whilst they may no doubt be essential to a business, companies need to do more to ensure they are not at risk of a security hole. A lack of security protocol may mean the vendor doesn’t know if there are certain security procedures they should be following.
SecZetta, a company dedicated to identifying security risks and providing lifecycle solutions, has often blogged about the issue. In one post they warn that:
“…the increased reliance on third-party employees, coupled with the growing sophistication of hackers, has led to the current identity and access management crisis that most businesses are faced with today – whether they realize it or not.”
Unfortunately for security, companies usually involve third party vendors to save resources; to reduce costs and even for a ‘quick fix’ for temporary tasks. This means that the last thing they want to do is invest more money and time into making sure their vendors are compliant with security protocols.
Resources needed for security management may end up using the money saved from using vendors in the first place. Companies clearly have an essential responsibility to balance the delicate scales for managing both third party vendors who save them resources, and using enough resources to invest in robust security.