When it comes to large-scale data attacks, the Target breach of late 2013 still looms large. But while its headline-grabbing consequences are easily recalled – over 40 million people impacted, US$18.5 million (£14 million) in settlement costs – there's another fact that sometimes goes overlooked: The breach didn't start with Target.
Rather than attack the retail behemoth directly, the hackers behind the incident instead launched an email malware-based campaign against an HVAC firm with which Target did business. Through that attack, hackers were able to use the firm's privileged login credentials to access Target's network.
What the breach demonstrated is that without the proper precautions, you're only as secure as your weakest partner.
As companies prioritise digital transformation, this is an important lesson to keep in mind. Increasingly, enterprises are forging alliances with external vendors and partners. These third-party business relationships enable organisations to build out their capabilities and enter new markets that they wouldn't otherwise be able to.
Today, the “extended enterprise” is basically the norm, even among smaller-scale business operations. Whether it's a parts supplier working with a consumer electronics firm, or a consulting firm linking up with a market research organisation, organisations are realising major bottom-line benefits when they partner with third-party service providers.
But while these third-party business relationships can go a long way toward driving down project costs and enhancing efficiency, there are risks as well – especially when it comes to enterprise security.
When companies entrust proprietary data to external business partners, they inherently expose themselves to risk. And these risks often materialise into actual breach incidents. As a recent Ponemon Institute report about the third-party enterprise ecosystem revealed, 49 percent of businesses surveyed said their company had experienced a data breach specifically linked to a third-party vendor.
What's more, 71 percent of respondents stated they had no visibility into when their third-party vendors shared their data with additional parties. Without this visibility, extended enterprises are all but setting themselves up for a breach.
How extended enterprises can maintain security
As businesses extend their capabilities by building out relationships with external vendors and partners, they need to make sure that cultivating these strategic alliances doesn't come at the expense of company security. And as the Target breach and other similar incidents have illustrated, no business is immune to these repercussions.
The inherent security risks of the extended enterprise demand a strategic solution. This has not gone unnoticed by regulators, so requirements around third party vendors are built into upcoming regulations, like GDPR. Here are some of the key steps organisations can take to ensure that their third-party vendor relationships don't come at the expense of enterprise security:
● Build security stipulations into vendor contracts: Before launching a vendor relationship, companies must ensure that a prospective third-party partner's security safeguards align with their own. Yet according to a 2014 annual security survey of businesses conducted by PwC, fewer than 60 percent of respondents require their external partners to adhere to their internal business security policies. Security alignment needs to start on day one of a company/vendor relationship. To that end, businesses should work with their internal security stakeholders to ensure that security stipulations are built into all external vendor contracts. Additionally, companies should require that vendors maintain relevant compliance certifications, such as PCI, ISO 27001, and Privacy Shield.
● Conduct a comprehensive security audit of third parties: Contractual agreements aren't enough to ensure third-party adherence to your company's internal security standards. In addition to embedding security requirements within vendor contracts, companies should also verify that external partners are undergoing third party security audits and that you are able to review those results. For instance, if you're a PR firm evaluating an external IT services provider and discover the provider doesn't have multifactor identity vetting in place for its own internal network, it's likely not worth pursuing a partnership.
● Bolster communication and ongoing monitoring: Continuous communication with and monitoring of third-party partners is pivotal to a successful and secure vendor relationship. Before commencing a vendor partnership, companies should work internally to establish an effective cadence for monitoring vendor security on an ongoing basis. At minimum, this pre-established process should include onsite visits, periodic status calls, and continuous communication between security stakeholders at both companies.
While forging strategic business partnerships with third-party vendors is accompanied by security risks, it's also a critical step that companies must take to extend their enterprise into new markets and build out business capabilities. By taking a strategic approach to mitigating the security vulnerabilities of third-party relationships, organisations can achieve the benefits of these alliances without exposing themselves to unnecessary risk.
Contributed by Alvaro Hoyos, chief information security officer at OneLogin
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.