Secure Third Party Access Still Not IT Priority

Record Breaches

Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported that 87 percent of respondents had faced a disruptive incident with third parties in the last two to three years.

cloud-infosec-report

In May this year, Ponemon Institute published the results of a 617 person survey that revealed that 75 percent of IT and security professionals said the risk of a breach from a third party is serious and increasing.

The infamous Target breach that occurred during the 2013 holiday shopping season is a prime example of a catastrophic third party data breach. Target confirmed that payment card information from roughly 40 million customers was stolen, as well as 70 million customer records. The root cause of the data breach was compromised network credentials that linked back to the company’s third party HVAC systems subcontractor. The breach cost Target millions of dollars, damage to its brand and reputation, and the resignation of both its CEO and CIO. In the past 12 months, organizations represented in the Ponemon report spent an average of $10 million each to respond to a security incident that was the result of negligent or malicious third parties.

Despite these warnings, a recent study conducted by the Soha Third Party Advisory Group, which consists of industry security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec, found that just two percent of respondents consider third party access a top priority in terms of IT initiatives and budget allocation. The report, which surveyed over 200 enterprise IT and security C-Level executives, directors and managers from enterprise-level companies, uncovered a few reasons for this apathy.

Breaches Happen to Other Organizations

 

While CVS, American Express and Experian are just a few of the recognizable organizations that have recently suffered through a significant third party breach, the negative news stories published about them and others has not done much to motivate today’s IT personnel. Sixty-two percent of respondents to the Advisory Group report said they do not expect their organization to be the target of a serious breach due to third party access, but they believe 79 percent of their competitors will suffer a serious data breach in the future. Interestingly, 56 percent acknowledged they had concerns about their ability to control and/or secure their own third party access.

Providing Third Party Access Is Difficult

The complexity of providing secure access to applications spread across many clouds or in multiple data centers, and to contractors and suppliers who do not work for you, using devices IT knows nothing about, is a challenge. The Third Party Advisory Group report found that most of those polled believe that providing third party access was a complex and tedious process. The survey found IT needs to touch five to 14 network and application hardware and software components to provide third party access. Fifty-five percent said providing third party access to new supply chain partners or others was a “Complex IT Project,” and on average, they have to touch 4.6 devices, such as VPNs, firewalls, directories, and more. Forty percent described the process as tedious or painful, and 48 percent described it as an ongoing annoyance. This is a problem that will not go away anytime soon, as 48 percent of respondents saw third party access grow over the past three years, while 40 percent said they see growth continuing over the next three years.

People Are Not Afraid of Losing Their Jobs

When the Advisory Group survey asked IT professionals “If a data breach occurred in your area of responsibility, would you feel personally responsible,” 53 percent said they would, because they felt it would reflect poorly on their job performance. However, only 8 percent thought they might lose their jobs if a data breach occurred during their watch. The survey showed that IT professionals takes their jobs seriously, but it is unclear who is being held accountable for data breaches and how this ambiguity might affect attitudes and behavior in ensuring organizations are safe from outside threats.

Four Must-Have Features for Secure Third Party Access

When evaluating a secure third party access platform, it’s important the solution be able to navigate and manage a complex maze of people, processes and technologies. The solution should provide a convenient, simple and fast way to manage the platform, policies and security. And at minimum, the solution under evaluation should include the following four features:

  • Identity Access: Identity Access confirms that the third party vendor accessing the IT network has the right to do so. The goal is to provide authenticated end user access only to the specific applications the vendor needs, not to the whole network.
  • Data Path Protection: Rather than building a unique access string through an organization’s firewall, data path protection allows existing security measures to stay as they are, without having to be altered. This feature provides a secure pathway for vendors to access the parts of the network that they need for work purposes. And in the event that credentials are compromised, the direct pathway prevents outside attackers from scanning through the network.
  • Central Management: Keeping track of vendor access can be a challenge, but a centrally managed solution allows organizations to manage and control third party access in a simple and uncluttered fashion. The elimination of complexity means easy, functional connections that provide fundamentally better security that allows for detailed audit, visibility, control and compliance reporting.

The divide between IT priorities and the need to mitigate third party data breaches affects all industries. IT professionals must recognize that the threat from third parties accessing their infrastructure is very real. The good news is that with the right access platform with the appropriate feature sets, organizations can significantly mitigate their risk.

By Mark Carrizosa, chief information security officer (CISO) and vice president of security for Soha Systems.

Mark joined Soha in 2015 from Walmart, where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems.

Jen Klostermann

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What are some of the key areas in the coming years ...
Sangeeta Chhabra

Leverage DaaS To Solve Challenges of Remote Work

Solve Challenges of Remote Work In the past one year of Coronavirus (COVID-19), we have seen it all: An ailing world economy, dramatic changes in the political structure of many countries, and, most prominently, a ...
Nikolas Kairinos

The growing role of AI in Sales and Marketing

AI in Sales and Marketing  Artificial intelligence (AI) as a Sales and Marketing (SaM) tool to help businesses deliver a better customer experience and secure quality leads was once considered an advantage reserved only for ...
Fig 2

Leveraging machine learning models for predictive maintenance of network services

Leveraging machine learning models As per lightreading's service assurance and analytics research study conducted with 100+ network operators and service providers, nearly 40% reported that issues around service assurance as a massive challenge. Service assurance ...
Patrick Joggerst

From Virtualization to Cloudification: Transforming Networks, Now What?

Virtualization to Cloudification As we head into the next decade of telecommunications network technology transformation, we find ourselves at a pivotal moment as the era of virtualization becomes the new era of cloudification. Real-time communications ...
Or Lenchner

Destination IPPN: why the travel sector must harness a global IP proxy network

Destination IPPN While massive growth in the travel sector has been predicted, the digital environment has also massively upped competition amongst service providers, keen to offer travellers the best personalized online booking and buying experience ...