Mark Carrizosa

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Record Breaches

Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported that 87 percent of respondents had faced a disruptive incident with third parties in the last two to three years.

cloud-infosec-report

In May this year, Ponemon Institute published the results of a 617 person survey that revealed that 75 percent of IT and security professionals said the risk of a breach from a third party is serious and increasing.

The infamous Target breach that occurred during the 2013 holiday shopping season is a prime example of a catastrophic third party data breach. Target confirmed that payment card information from roughly 40 million customers was stolen, as well as 70 million customer records. The root cause of the data breach was compromised network credentials that linked back to the company’s third party HVAC systems subcontractor. The breach cost Target millions of dollars, damage to its brand and reputation, and the resignation of both its CEO and CIO. In the past 12 months, organizations represented in the Ponemon report spent an average of $10 million each to respond to a security incident that was the result of negligent or malicious third parties.

Despite these warnings, a recent study conducted by the Soha Third Party Advisory Group, which consists of industry security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec, found that just two percent of respondents consider third party access a top priority in terms of IT initiatives and budget allocation. The report, which surveyed over 200 enterprise IT and security C-Level executives, directors and managers from enterprise-level companies, uncovered a few reasons for this apathy.

Breaches Happen to Other Organizations

Data Breach Comic

While CVS, American Express and Experian are just a few of the recognizable organizations that have recently suffered through a significant third party breach, the negative news stories published about them and others has not done much to motivate today’s IT personnel. Sixty-two percent of respondents to the Advisory Group report said they do not expect their organization to be the target of a serious breach due to third party access, but they believe 79 percent of their competitors will suffer a serious data breach in the future. Interestingly, 56 percent acknowledged they had concerns about their ability to control and/or secure their own third party access.

Providing Third Party Access Is Difficult

The complexity of providing secure access to applications spread across many clouds or in multiple data centers, and to contractors and suppliers who do not work for you, using devices IT knows nothing about, is a challenge. The Third Party Advisory Group report found that most of those polled believe that providing third party access was a complex and tedious process. The survey found IT needs to touch five to 14 network and application hardware and software components to provide third party access. Fifty-five percent said providing third party access to new supply chain partners or others was a “Complex IT Project,” and on average, they have to touch 4.6 devices, such as VPNs, firewalls, directories, and more. Forty percent described the process as tedious or painful, and 48 percent described it as an ongoing annoyance. This is a problem that will not go away anytime soon, as 48 percent of respondents saw third party access grow over the past three years, while 40 percent said they see growth continuing over the next three years.

People Are Not Afraid of Losing Their Jobs

When the Advisory Group survey asked IT professionals “If a data breach occurred in your area of responsibility, would you feel personally responsible,” 53 percent said they would, because they felt it would reflect poorly on their job performance. However, only 8 percent thought they might lose their jobs if a data breach occurred during their watch. The survey showed that IT professionals takes their jobs seriously, but it is unclear who is being held accountable for data breaches and how this ambiguity might affect attitudes and behavior in ensuring organizations are safe from outside threats.

Four Must-Have Features for Secure Third Party Access

When evaluating a secure third party access platform, it’s important the solution be able to navigate and manage a complex maze of people, processes and technologies. The solution should provide a convenient, simple and fast way to manage the platform, policies and security. And at minimum, the solution under evaluation should include the following four features:

  • Identity Access: Identity Access confirms that the third party vendor accessing the IT network has the right to do so. The goal is to provide authenticated end user access only to the specific applications the vendor needs, not to the whole network.
  • Data Path Protection: Rather than building a unique access string through an organization’s firewall, data path protection allows existing security measures to stay as they are, without having to be altered. This feature provides a secure pathway for vendors to access the parts of the network that they need for work purposes. And in the event that credentials are compromised, the direct pathway prevents outside attackers from scanning through the network.
  • Central Management: Keeping track of vendor access can be a challenge, but a centrally managed solution allows organizations to manage and control third party access in a simple and uncluttered fashion. The elimination of complexity means easy, functional connections that provide fundamentally better security that allows for detailed audit, visibility, control and compliance reporting.

The divide between IT priorities and the need to mitigate third party data breaches affects all industries. IT professionals must recognize that the threat from third parties accessing their infrastructure is very real. The good news is that with the right access platform with the appropriate feature sets, organizations can significantly mitigate their risk.

By Mark Carrizosa, chief information security officer (CISO) and vice president of security for Soha Systems.

Mark joined Soha in 2015 from Walmart, where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems.

CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information, resources and thought leadership services.

Contact us for a list of our leading programs.

CONTRIBUTORS

Using Cloud Analytics To Improve Customer Experience

Using Cloud Analytics To Improve Customer Experience

Evolution of Cloud Analytics Moving data to the cloud, once considered a strenuous task, has now become commonplace in most ...
Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure ...
3 Ways to Protect Users From Ransomware With the Cloud

3 Ways to Protect Users From Ransomware With the Cloud

Protect Users From Ransomware The threat of ransomware came into sharp focus over the course of 2016. Cybersecurity trackers have ...
OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack Private Cloud Revenues Growth of OpenStack private cloud will overtake public cloud revenue for hosting providers sooner than previously ...
MarTech’s Fragmented Landscape is Failing Brand Marketers

MarTech’s Fragmented Landscape is Failing Brand Marketers

MarTech’s Fragmented Landscape Mapping the customer journey is one of the biggest strategic shifts currently underway in the marketing industry ...
The Future of Big Data and DNS Analytics

The Future of Big Data and DNS Analytics

Big Data and DNS Analytics Big Data is revolutionizing the way admins manage their DNS traffic. New management platforms are ...
Why Open Source Technology is the Key to Any Collaboration Ecosystem

Why Open Source Technology is the Key to Any Collaboration Ecosystem

Open Source Collaboration Ecosystem Open source – software whose source code is public and can be modified or shared freely ...
5 Important VR Industry Trends Starting To Take Shape

5 Important VR Industry Trends Starting To Take Shape

5 Important VR Industry Trends In recent years, virtual reality (VR) finally made a move to the mainstream after largely ...
David

Egress Fees Don’t Work for Users – Unlimited Free Egress Is Here

Unlimited Free Egress All of the leading object storage vendors – Amazon, Google, and Microsoft – charge for egress (“egress” ...
Cybersecurity Data Breaches: Incident Response Planning

Cybersecurity Data Breaches: Incident Response Planning

Incident Response Planning The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, ...