Reports find high security risks among policies for third-party vendors

News by Jeremy Seth Davis

Two new reports examine the security and privacy threats posed by poor procedures for managing the access rights and network activities of third-party vendors.

Two recent reports highlight the security and privacy threats posed by third-party vendors. The reports examine company's procedures for handling third-party vendor permissions and the ability of companies to track these vendors' activities.

One of the reports, which surveyed IT and security professionals in the US, UK, Germany and France, found that more than two-thirds (69 percent) of organisations surveyed said they may have been breached in the last year as a result of vendor access. The Vendor Vulnerability report, conducted by the remote desktop company Bomgar, found that companies have on average 89 vendors accessing their network every week.

Many organisations do not possess reliable information about the vendors accessing their internal systems. According to the survey, just 35 percent of the decision-makers surveyed were “very confident” that they knew how many vendors have access to their systems. A similar percentage of the participants (34 percent) expressed confidence in the number of log-ins that vendors possess.

The survey also found a high percentage of companies that provide nearly full access to their third-party vendors. According to the study, 44 percent of the professionals said their companies do not employ gradations of permission settings for vendors, and instead use an “on/off approach” to access.

“This combination of dependence, trust, and lack of control has created the ‘perfect storm' for security breaches across companies of all sizes,” Bomgar CEO Matt Dircks said, announcing the survey.

Another recent report, the Data Risk in the Third Party Ecosystem study published by the Ponemon Institute, explored the risks of third-party vendors using subcontractors. 

Nearly three-quarters (73 percent) of companies do not believe they would be contacted by indirect service providers or subcontractors hired by their company's third-party vendors if one of these ‘fourth-party' vendors experienced a data breach. According to the survey, 37 percent of the participants did not expect they would be contacted if a direct third-party vendor experienced a breach.

Sixty percent of the survey participants said their companies do not monitor the security practices of their vendors, said Ponemon Institute chairman and founder Dr Larry Ponemon, in a statement announcing the report. 

Companies attribute this to a “lack of having the internal resources to check or verify [vendors], or that the third party will not allow for independent monitoring,” he said. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews