Secure Third Party Access Still Not IT Priority

Mark Carrizosa

Record Breaches

Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported that 87 percent of respondents had faced a disruptive incident with third parties in the last two to three years.

cloud-infosec-report

In May this year, Ponemon Institute published the results of a 617 person survey that revealed that 75 percent of IT and security professionals said the risk of a breach from a third party is serious and increasing.

The infamous Target breach that occurred during the 2013 holiday shopping season is a prime example of a catastrophic third party data breach. Target confirmed that payment card information from roughly 40 million customers was stolen, as well as 70 million customer records. The root cause of the data breach was compromised network credentials that linked back to the company’s third party HVAC systems subcontractor. The breach cost Target millions of dollars, damage to its brand and reputation, and the resignation of both its CEO and CIO. In the past 12 months, organizations represented in the Ponemon report spent an average of $10 million each to respond to a security incident that was the result of negligent or malicious third parties.

Despite these warnings, a recent study conducted by the Soha Third Party Advisory Group, which consists of industry security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec, found that just two percent of respondents consider third party access a top priority in terms of IT initiatives and budget allocation. The report, which surveyed over 200 enterprise IT and security C-Level executives, directors and managers from enterprise-level companies, uncovered a few reasons for this apathy.

Breaches Happen to Other Organizations

 

While CVS, American Express and Experian are just a few of the recognizable organizations that have recently suffered through a significant third party breach, the negative news stories published about them and others has not done much to motivate today’s IT personnel. Sixty-two percent of respondents to the Advisory Group report said they do not expect their organization to be the target of a serious breach due to third party access, but they believe 79 percent of their competitors will suffer a serious data breach in the future. Interestingly, 56 percent acknowledged they had concerns about their ability to control and/or secure their own third party access.

Providing Third Party Access Is Difficult

The complexity of providing secure access to applications spread across many clouds or in multiple data centers, and to contractors and suppliers who do not work for you, using devices IT knows nothing about, is a challenge. The Third Party Advisory Group report found that most of those polled believe that providing third party access was a complex and tedious process. The survey found IT needs to touch five to 14 network and application hardware and software components to provide third party access. Fifty-five percent said providing third party access to new supply chain partners or others was a “Complex IT Project,” and on average, they have to touch 4.6 devices, such as VPNs, firewalls, directories, and more. Forty percent described the process as tedious or painful, and 48 percent described it as an ongoing annoyance. This is a problem that will not go away anytime soon, as 48 percent of respondents saw third party access grow over the past three years, while 40 percent said they see growth continuing over the next three years.

People Are Not Afraid of Losing Their Jobs

When the Advisory Group survey asked IT professionals “If a data breach occurred in your area of responsibility, would you feel personally responsible,” 53 percent said they would, because they felt it would reflect poorly on their job performance. However, only 8 percent thought they might lose their jobs if a data breach occurred during their watch. The survey showed that IT professionals takes their jobs seriously, but it is unclear who is being held accountable for data breaches and how this ambiguity might affect attitudes and behavior in ensuring organizations are safe from outside threats.

Four Must-Have Features for Secure Third Party Access

When evaluating a secure third party access platform, it’s important the solution be able to navigate and manage a complex maze of people, processes and technologies. The solution should provide a convenient, simple and fast way to manage the platform, policies and security. And at minimum, the solution under evaluation should include the following four features:

  • Identity Access: Identity Access confirms that the third party vendor accessing the IT network has the right to do so. The goal is to provide authenticated end user access only to the specific applications the vendor needs, not to the whole network.
  • Data Path Protection: Rather than building a unique access string through an organization’s firewall, data path protection allows existing security measures to stay as they are, without having to be altered. This feature provides a secure pathway for vendors to access the parts of the network that they need for work purposes. And in the event that credentials are compromised, the direct pathway prevents outside attackers from scanning through the network.
  • Central Management: Keeping track of vendor access can be a challenge, but a centrally managed solution allows organizations to manage and control third party access in a simple and uncluttered fashion. The elimination of complexity means easy, functional connections that provide fundamentally better security that allows for detailed audit, visibility, control and compliance reporting.

The divide between IT priorities and the need to mitigate third party data breaches affects all industries. IT professionals must recognize that the threat from third parties accessing their infrastructure is very real. The good news is that with the right access platform with the appropriate feature sets, organizations can significantly mitigate their risk.

By Mark Carrizosa, chief information security officer (CISO) and vice president of security for Soha Systems.

Mark joined Soha in 2015 from Walmart, where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems.

Episode 5: How the Pandemic is Changing Business and the Cloud

An Interview with Ed Dryer of Steadfast With the global pandemic wreaking havoc on business ...

Episode 3: The Bottomless Cloud – An Interview with David Friend of Wasabi

Why data is not “the new oil” and why “cloud” means more than we think ...

Episode 6: Cloud Migration: Why It’s More Important Than Ever

The Importance of Cloud Migration Moving fully to the cloud is still a concern for ...
Mark Casey Apcela

Why CloudHubs are an Important Ingredient to Optimizing Performance of Cloud-based Applications

CloudHubs - Optimizing Application Performance It may seem hard to believe, but even in this day and age, there are still some enterprises that are ...
Mor Cohen Tal1

The Top 2 Challenges of Next-Gen Applications

Challenges of Next-Gen Applications When you think of why customers move to the cloud, there are a few key things that they're trying to achieve ...
Matt Holleran

Cloud Platforms, Marketplaces, and Startups

Cloud Platforms, Marketplaces, and Startups One of the most exciting recent developments in the cloud software business is the proliferation of partner ecosystems, with large ...
Kaylamatthews

What You Need to Know – IoT and Real-Time Operating Systems

Real-Time Operating Systems A real-time operating system, or real-time OS, appears to execute tasks while using a single processing core simultaneously.  However, what's really happening ...
Bigcommerce

Magento 1 Is Nearing Its End – Is It Time To Migrate To BigCommerce?

Time To Migrate To BigCommerce? Nearly three years ago, Magento declared that they would be ending support for their Magento 1 software. All versions of ...
Kayla Matthews

6 Reasons More Organizations Are Adopting Zero Trust

Organizations Adopting Zero Trust The zero trust model is becoming more commonplace in security. It's based on the realization that threats exist inside and outside ...
Mark Kirstein

2020 Market Predictions: Cloud-Services Growth Will Continue

2020 Tech Market Predictions The beginning of every new year is a healthy time for businesses to survey the cloud landscape, reflect on the market ...
Will Crump

The Key to a Successful M&A = Data

Successful M&A = Data Data is often the single point of failure for many organizations. Divestitures, privatization, leveraged buyouts, and management buyouts are all on ...
Mark Kirstein

IT Pros Can Now Deliver a More Streamlined, Cost-Efficient Migration of Microsoft Teams

IT Pros Deliver a More Streamlined Migration of Microsoft Teams In the modern workplace, the ability for employees to collaborate and engage with each other ...
Chandani Patel Volansys

Pillars of AWS Well-Architected Framework

Well-Architected Framework Cloud computing is proliferating each passing year denoting that there are plenty of opportunities. Creating a cloud solution calls for a strong architecture ...