Third-party risk and understanding that risk continues to grow; but mitigation of the risk is, if anything, getting worse. This can be seen in two separate studies published this week by Ponemon and BitSight.
The Ponemon study (PDF), commissioned by risk and compliance firm Opus, questioned 625 individuals familiar with their organizations’ third-party risk management posture. The BitSight study (PDF) took a different approach and examined the visible security posture of more than 5,200 legal, technology, and business services companies known to be third-parties to finance organizations. Both surveys show a significant gap in the security posture of primary organizations and their third-party suppliers.
For many large organizations, this gap is increasingly exploited by malicious actors as the soft underbelly route into the company. The Ponemon study shows that this situation is, if anything, worsening; while the BitSight study highlights some of the security weaknesses commonly found in third-party vendors.
Ponemon found that 56% of respondents had suffered a third-party data breach in the last year — an increase of 7% over the previous year. The cause ins’t clear, but could be related to industry’s growing reliance on third-parties and especially cloud-based service suppliers. Noticeably, the BitSight study suggests that “business services companies present the highest level of risk for the finance industry.”
Part of the problem is that organizations have little visibility of, or into, their supply chain. Fifty-seven percent of Ponemon’s respondents don’t have an inventory of the third-parties with which they share sensitive data, and the same number don’t know if their suppliers’ policies would prevent a data breach.
BitSight offers some insight in this area. By examining the visible posture of vendors, it has discovered a strong correlation between outdated systems (XP and Vista) and machine compromise. “This means,” suggests BitSight, “that outdated desktop operating systems and browsers that exist within a supply chain are correlated to more immediate risks of machine compromise and data loss.”
However, BitSight also notes that primary finance companies have a higher incidence of outdated servers than their supply chain. Nearly 30% of finance firms have at least one instance of an outdated Windows IIS server on their network, compared to only 10% of their legal services and 20% of business services and technology services suppliers. It points out that one of the exploits leaked by Shadow Brokers relates to IIS v6 (CVE-2017-7269). Earlier this year researchers suggested that more than 8 million webservers might be subject to this vulnerability, and that it had exploited in the wild since July 2016. BitSight also notes that there is a similar correlation for unsupported versions of Apache, for which there have been 15 documented CVEs since 2015. Clearly in some areas organizations need to improve their own security as well as that of their vendors.
Previous BitSight research has shown that high levels of torrent file sharing activity also correlates with a higher rate of system compromise. Finance companies do little of this, with less than 1% exhibiting torrent downloads. Only 10% of legal organizations have torrents; but 22% of business services and 23% of technology firms have torrented. “Overall,” suggests BitSight, “peer-to-peer file sharing activity may be indicative of other lax security policies for an organization.”
“While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close the performance gap between their own organizations and their immediate business ecosystem,” said Stephen Boyer, co-founder and CTO of BitSight.
The Ponemon study, however, shows that most organizations are not confident in their current ability to do so. Only 17% of respondents feel they are highly effective at mitigating third-party risks (a 5% decrease from 22% in 2016); while 60% (down from 66% in 2016) are unprepared to check or verify their third-parties.
Both studies suggest that third-party risk is now being taken more seriously by senior management. According to Ponemon, this has risen by 15% in the last year. “Senior executives and Boards of Directors are increasingly asking for updates into their vendor risk management programs and looking for demonstrable progress in reducing third-party cyber risk,” says BitSight. There is, however, a long way to go. Gartner reports that by 2020, only 75% of Fortune 500 companies will be treating vendor risk management as a board -level initiative.
Both studies also provide a set of recommendations for improving the current situation.
“Data breaches and cyberattacks continue to plague organizations who are often unaware that the source of their information security risks can result from sensitive data obtained by a third or Nth party,” comments Dr. Larry Ponemon. “It is critical for organizations to actively manage their third-party interactions by implementing standard processes, including inventory and policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability.”
The recommendations include, from Ponemon, suggestions such as “conduct audits and assessments to evaluate the security and privacy practices of third-parties”; “create an inventory of third-parties who have access to confidential information and how many of these third-parties are sharing this data with one or more of their contractors”; and “regularly review the security and privacy practices” of third-party vendors.
The problem with these recommendations is that security officers are already aware that this should be done, but have neither the manpower nor budget to do them. Ponemon’s final recommendation consequently becomes the most important: “involve senior leadership and boards of directors in third-party risk management programs.” Achieving this will require that security teams successfully ‘sell’ the need to their management — but the reward could be the first step to solving the problem. “Such high-level attention to third-party risk may increase the budget available to address these threats to sensitive and confidential information,” concludes the report.
BitSight offers some practical recommendations. Having found a correlation between outdated endpoints, servers and peer-to-peer file-sharing with data breaches, it suggests that primary organizations should take special notice of their occurrence in the supply chain. Third-parties with Vista and XP endpoints should be encouraged to upgrade, and provide a timetable for doing so. Particular concern should be taken over vendors who have outdated servers containing their sensitive information since “it is the most immediate path to data compromise.” And, “If a vendor exhibits peer-to-peer file sharing on their network, ask to review their file sharing policies.”
ever, BitSight’s final recommendation is perhaps the most important and potentially least expensive: collaborate with third-parties to improve their level of performance. In the end, third-party risk is all about relationships; and a good working relationship between buyer and seller can go a long way towards mitigating inherent risk.