(April 21, 2021) Remember the Target data breach in 2013? Hackers broke in using the compromised credentials of an HVAC vendor that had remote access to Target’s network. Could a hacker attack your systems via a vendor or business partner?
In our last post, we explained why it is critically important for managed services providers (MSPs) to have robust security. MSPs use a variety of tools to remotely monitor and manage their customers’ systems and networks. If these tools are not properly secured, hackers could exploit them to steal data and execute cyberattacks.
Few business partners have the same level of access as an MSP. However, many organizations provide their partners and suppliers with access to their infrastructure. Not all partners and suppliers place the same emphasis on cybersecurity.
Many organizations assume that their business partners will follow security best practices, but that is far from guaranteed. Any time a third party has access to your IT systems, your organization’s cybersecurity posture is potentially degraded. There is an increased risk that sensitive data could fall victim to a hacker attack.
The Supply Chain Threat
Insider threats are the biggest risk when business partners are given access. A vendor or supplier with an ax to grind could steal data and sell it to the highest bidder, or simply use the data to gain a competitive advantage.
However, most insider threats involve careless users who share sensitive data via email or cloud platforms or give out their credentials to other members of their organization. Users who click on malicious links or files could fall victim to credential theft or ransomware attacks that infiltrate the entire supply chain.
According to a recent survey conducted by Opinion Matters, a staggering 80 percent of organizations have suffered a security breach that began with vulnerabilities in their business partner ecosystem. On average, organizations experienced 2.7 breaches of this type in the preceding 12 months.
More than three-fourths (77 percent) of organizations have little to no visibility into their business partners’ security practices. Almost one-third (32 percent) evaluate the security risks of their supply chains every six months or less frequently. Many use point-in-time assessments such as site audits and questionnaires for these evaluations.
When a security issue is discovered, 36 percent say they simply inform the vendor and hope for the best. Another 36 percent say they rely on the business partner to ensure adequate security, and 29 percent say they have no way of knowing if a security issue arises. (Respondents could select more than one answer.)
Addressing Third-Party Risk
Surveys and onsite visits remain an effective way of assessing a business partner’s security standards before beginning a relationship. The key is to ask a lot of questions. What security standards do they have in place? Do they have a documented security strategy? Do they provide their employees with regular training? What is their incident response plan? What industry certifications do they maintain?
In addition to providing insight into the partner’s security practices, the vetting process offers an opportunity to establish expectations. Organizations should have a written security policy for partners and, ideally, work it into contractual agreements.
Again, site audits and questionnaires provide only a snapshot of business partner security. Organizations should also work with an MSP to monitor all access to their systems — even if it comes from a supposedly trusted source. The right monitoring and management can help spot behavioral anomalies that point to a cyberattack.
The hacker attack that led to the Target data breach cost the retailer millions of dollars and tarnished its corporate brand. Although it is often necessary to give business partners access to systems and data, the risk is very real and difficult to manage. Organizations should take steps to ensure that business partners are following security best practices and hold them accountable for maintaining a cybersecurity posture that protects sensitive data.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile