[BreachExchange] Mitigating the risks of third-party access to your data

[Audrey McNeil]

http://betanews.com/2016/11/29/third-party-risks-data/

If your office was broken into, you would fear what the intruders might
take. Being so concerned about the possibility, you fit all the right locks
and alarms and have good door and window security. However, do all the
service providers that access your office do the same? If they’re not as
security conscious, and they get broken into, the intruders could get hold
of the access card or key to your office and then they’re in.

It would be galling because, despite having done all the right things to
protect your company’s assets, your defenses were still breached. There was
a weakness but it wasn’t your security. You gave a vendor the means to
access your business to do you a service, and that access was exploited by
someone with the skills to take advantage of their weak security.

Yet, it’s not just business’ physical assets which are under threat, data
is vulnerable to similar attacks. IT systems and infrastructure might not
be compromised by a direct attack but, instead, through access given to a
third party vendor.

Points of Vulnerability

Vendor vulnerability merits much more attention than it generally gets.
This is surprising, because there have been high profile data breaches
where cybercriminals have got in through a third party. Target suffered in
this way back in 2013; the payment card and personal details of tens of
millions of customers were exposed as a result and the financial impact on
the US retailer was put at over $160 million.

In the case of Target, it was the fact that the vendor connected to the
company’s systems for electronic billing, contract submission and project
management that created the opportunity. The hackers were able to move from
their point of entry to the lucrative systems where financial and customer
information could be obtained.

For many companies, cloud services are increasingly used to connect with
third party vendors. The cloud provides many benefits for enterprise
collaboration, as well as cost savings and efficiency improvements within
the company itself. It has made data sharing outside the company as simple
as sharing a public link, or inviting a vendor to collaborate on a
document. But with this convenience can come vulnerability.

Visibility and Control

It isn’t to say that companies should eschew cloud technology though. Just
as they can’t refuse to give contractors access to their physical building
when they need it to perform their role. They just have to take the right
measures to ensure visibility and control over their cloud use, and thereby
safeguard their systems and information.

The importance of this is brought into sharp focus when you consider the
scale of cloud usage. According to Skyhigh Networks research, the average
European organization now uses more than 1,000 cloud services and shares
documents with 849 external domains. That’s a lot of information accessible
by a lot of people.

Most notably, over 15 percent of the documents uploaded to cloud-based file
sharing services contain sensitive information. After the Target incident,
some commentators suggested that if hackers are persistent enough in their
efforts they will eventually get in, and that the battleground has shifted
to inside networks. Once the perimeter has been breached, hackers can still
be thwarted by being prevented from progressing beyond the entry point. A
sort of "lose the battle, win the war" approach.

It’s an uncomfortable thought. In reality, prevention, containment and cure
must all be in the security mix, and the battle lines will keep being
redrawn. Security tactics and strategy have to stay one step ahead in the
fight against cybercrime.

Strength in Numbers

A number of high profile technology companies -- AirBnB, Uber, Square and
Twitter among them -- have announced a coalition dedicated to fostering
cohesive, collaborative conversations and action around Internet security.
The new Vendor Security Alliance was formed primarily to address the cyber
security risk of business partners.

It is positive progress in the drive to raise and sustain awareness among
all companies of the importance of vendor cyber security. Despite the
regular news we read of significant data breaches, still not enough is
being done to mitigate against such incidents.

A report from Price Waterhouse Coopers (PWC) revealed that 90 percent of
large companies suffered some sort of breach last year and that 18 percent
of the single worst breaches they suffered originated from a third party
supplier. Despite this, 19 percent of those surveyed require no compliance
with standards or good practice guides by suppliers.

When it comes to cloud services, some companies don’t have a tight enough
grip on which are being used to store corporate data, and they can lack
sufficient insight into service usage. They need to know how sensitive
information in particular is being shared, who with and how those
collaborators are accessing it.

To mitigate the risk of inappropriate access or use, companies must carry
out comprehensive due diligence on cloud services and their providers and
with vendors who are able to access their data or systems. Only cloud
services that meet stringent security and compliance requirements should be
a part of the IT mix and even then encryption needs to be used. At all
times activity monitoring has to be in place.

The technology estate in every organization grows and evolves. Additional
applications and services get added and others fall into disuse. For this
reason it is naive to think that IT has complete control over services;
cloud analytics needs to plug the gap, revealing all cloud services in use,
the level of risk they might represent and where any anomalous use is
occurring.

The risks created by third party access, connectivity and information
sharing through cloud services are real and need to be given just
consideration. To enjoy the benefits of collaboration technology, companies
need the right security measures in place and must include third parties in
their security strategies and regular assessments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161129/90f4fdf7/attachment.html>