[BreachExchange] Mitigating security risks in the extended enterprise

Tue Oct 31 19:46:18 EDT 2017

https://www.scmagazineuk.com/mitigating-security-risks-in-
the-extended-enterprise/article/699000/

When it comes to large-scale data attacks, the Target breach of late 2013
still looms large. But while its headline-grabbing consequences are easily
recalled – over 40 million people impacted, US$18.5 million (£14 million)
in settlement costs – there's another fact that sometimes goes overlooked:
The breach didn't start with Target.

Rather than attack the retail behemoth directly, the hackers behind the
incident instead launched an email malware-based campaign against an HVAC
firm with which Target did business. Through that attack, hackers were able
to use the firm's privileged login credentials to access Target's network.

What the breach demonstrated is that without the proper precautions, you're
only as secure as your weakest partner.

As companies prioritise digital transformation, this is an important lesson
to keep in mind. Increasingly, enterprises are forging alliances with
external vendors and partners. These third-party business relationships
enable organisations to build out their capabilities and enter new markets
that they wouldn't otherwise be able to.

Today, the “extended enterprise” is basically the norm, even among
smaller-scale business operations. Whether it's a parts supplier working
with a consumer electronics firm, or a consulting firm linking up with a
market research organisation, organisations are realising major bottom-line
benefits when they partner with third-party service providers.

But while these third-party business relationships can go a long way toward
driving down project costs and enhancing efficiency, there are risks as
well – especially when it comes to enterprise security.

When companies entrust proprietary data to external business partners, they
inherently expose themselves to risk. And these risks often materialise
into actual breach incidents. As a recent Ponemon Institute report about
the third-party enterprise ecosystem revealed, 49 percent of businesses
surveyed said their company had experienced a data breach specifically
linked to a third-party vendor.

What's more, 71 percent of respondents stated they had no visibility into
when their third-party vendors shared their data with additional parties.
Without this visibility, extended enterprises are all but setting
themselves up for a breach.

How extended enterprises can maintain security

As businesses extend their capabilities by building out relationships with
external vendors and partners, they need to make sure that cultivating
these strategic alliances doesn't come at the expense of company security.
And as the Target breach and other similar incidents have illustrated, no
business is immune to these repercussions.

The inherent security risks of the extended enterprise demand a strategic
solution. This has not gone unnoticed by regulators, so requirements around
third party vendors are built into upcoming regulations, like GDPR. Here
are some of the key steps organisations can take to ensure that their
third-party vendor relationships don't come at the expense of enterprise
security:

●   Build security stipulations into vendor contracts: Before launching a
vendor relationship, companies must ensure that a prospective third-party
partner's security safeguards align with their own. Yet according to a 2014
annual security survey of businesses conducted by PwC, fewer than 60
percent of respondents require their external partners to adhere to their
internal business security policies. Security alignment needs to start on
day one of a company/vendor relationship. To that end, businesses should
work with their internal security stakeholders to ensure that security
stipulations are built into all external vendor contracts. Additionally,
companies should require that vendors maintain relevant compliance
certifications, such as PCI, ISO 27001, and Privacy Shield.

●   Conduct a comprehensive security audit of third parties: Contractual
agreements aren't enough to ensure third-party adherence to your company's
internal security standards. In addition to embedding security requirements
within vendor contracts, companies should also verify that external
partners are undergoing third party  security audits and that you are able
to review those results. For instance, if you're a PR firm evaluating an
external IT services provider and discover the provider doesn't have
multifactor identity vetting in place for its own internal network, it's
likely not worth pursuing a partnership.

●   Bolster communication and ongoing monitoring: Continuous communication
with and monitoring of third-party partners is pivotal to a successful and
secure vendor relationship. Before commencing a vendor partnership,
companies should work internally to establish an effective cadence for
monitoring vendor security on an ongoing basis. At minimum, this
pre-established process should include onsite visits, periodic status
calls, and continuous communication between security stakeholders at both
companies.

While forging strategic business partnerships with third-party vendors is
accompanied by security risks, it's also a critical step that companies
must take to extend their enterprise into new markets and build out
business capabilities. By taking a strategic approach to mitigating the
security vulnerabilities of third-party relationships, organisations can
achieve the benefits of these alliances without exposing themselves to
unnecessary risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171031/80e61b2d/attachment.html>