Cloud provider security risks
The single, streamlined organization has been replaced by a digital ecosystem where everything from individual applications to entire data centers has moved to cloud providers. "What you have to protect is so far outside your environment," says Fred Kneip, CEO at CyberGRX. "And hackers are smart. They go for the path of least resistance."
Even hardware now comes cloud-enabled, Kneip says. "The default setting for an IoT welding tool for an automotive line is to send diagnostics to the manufacturer so they can do predictive maintenance," he says. "That sounds awesome, but that can also be a channel back into your whole environment."
Professional services firms may be even less secure
"Security is really only as good as the weakest link," says John Titmus, director of sales engineering EMEA at CrowdStrike, Inc., a security vendor. "Supply chain attacks are getting more widespread and growing in frequency and sophistication. You need to understand the nature of the risks and develop a security roadmap around it."
This summer, Deep Root Analytics, a marketing firm used by the Republican National Committee, leaked the personal data of 200 million voters. This is a small company, that, according to its LinkedIn profile, has fewer than 50 employees. Deep Root Analytics accidentally put the data on a publicly accessible server.
Larger service companies are also vulnerable. The Verizon breach, which involved six million customer records, was caused by Nice Systems, a provider of customer service analytics. Nice put six months of customer service call logs, which included account and personal information, on a public Amazon S3 storage server.
Nice reports that it has 3,500 employees and provides services to more than 85 percent of Fortune 100 customers. Nice is tiny compared to Deloitte, an accounting firm with more than a quarter million employees. In September, Deloitte admitted that hackers were able to access emails and confidential plans of some of its blue-chip clients. According to reports, the attackers gained access due to weak access controls on an administrator account.
"We wouldn't be surprised if we saw more supply-side organizations being hit by attackers to reach their final goal," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.
How to manage third-party risk: First steps
Proper oversight of third-party cyber security risk pays dividends beyond just the compliance benefits. it actually reduces the likelihood of a breach, according to the Ponemon report. "You can reduce the incident of a breach by 20 percentage points," says Dov Goldman, VP for innovation and alliances at Opus Global, Inc., the company that sponsored the study.
Specifically, if a company evaluates the security and privacy policies of all its suppliers, the likelihood of a breach falls from 66 percent to 46 percent. That does include all suppliers, Goldman added
Sign up for Computerworld eNewsletters.