Third-Party Vendors are a Cyber-Criminals Dream; Don’t Leave the Front Door Unlocked and the Windows Open
By: Orhan Yildirim
Third-party governance and risk management has become increasingly difficult as more and more storage and compute are being done across multiple clouds – private, public, hybrid and multi-cloud environments. Enterprises are going to the cloud and adopting popular “as a service” applications like salesforce.com and others to reduce costs and drive their digital transformation efforts.
But what good is doing so if the risk profile increases, and enterprises become more vulnerable to attacks? Enterprises can and should build new “data houses” with a mix of apps and systems; in fact, they are, and a recent Gartner report estimates the average enterprise uses nearly 2,000 different business applications and platforms today.
When those new houses are built, just as enterprises secure their physical facilities – with locks on the doors and windows – it’s equally or even more important to make sure nobody can accidentally or maliciously break in and corrupt or steal sensitive data and information, or bring systems down by making changes.
As the “extended enterprises” continue to build third-party relationships, including data sharing partnerships and API-based integrations, the ability to manage these relationships becomes increasingly critical to success. Organizations that hesitate to expand their ecosystems, given the understandable fear of the risks it naturally creates, can become less competitive than other companies who do partner digitally and invest in identifying and managing the accompanying risks.
The most actively “connected” industries include financial services, energy and utilities, manufacturing, government and military, technology, media, telecom, e-commerce, healthcare and pharma, and business process outsourcing for customer service and more.
Companies in these industries often generate revenues of $1 billion or more, and their IT and OT teams are responsible for protecting an exponentially larger number of digital systems than they were responsible for only a few years ago.
While the trend is “decentralizing” IT and allowing business units to make decisions on the third-party partners and platforms they adopt, there is still a great need for centralizing security oversight as more doors and windows are being left open.
A Privileged Access Management (PAM) security posture is essential, and the only way PAM can address the variety of third-party instances in large enterprises – and even small and medium businesses – is through software, automation, and intelligence.
The increasing frequency of third-party incidents, negatively impacting organizational reputation, earnings, and shareholder value, is a compelling driver for organizations to invest in PAM.
As incidents relating to third-parties continue to grow, organizations are becoming more and more concerned about disruption to customer relations and compliance with increasingly strict regulations and the related punitive actions, including large fines, that are in place today and being contemplated for the future. Additionally, the risk to brand reputation, as well as the risk of having to take legal actions against third-parties who disrupt a company’s operations (intentionally or maliciously) are causing decision makers to look at the risk and reward in new ways.
Many of Ironsphere’s large enterprise customers are now mandating consistent, systematic digital third-party management standards across their operating units, and investing in advancing monitoring and management approaches using Ironsphere’s PAM solution, which is flexible enough to adapt to environments where third-party vendors are growing (and the threat surface is expanding as a result).
The threats arising from the actions of third-parties are very real. A Deloitte study, for example, found that 87 percent of respondents have faced a disruptive incident associated with third-parties in the last 2-3 years, out of which 28 percent faced major disruption and 11 percent experienced a complete third-party failure – reducing their confidence in the related governance and risk management processes.
Slightly more than 26 percent of respondents have suffered reputational damage arising from third-party action in the last 2-3 years; 23 percent ended up being non-compliant with regulatory requirements, with 8.7 percent of these respondents facing a fine or financial penalty as a result of this non-compliance. Another 23 percent of respondents experienced financial or transaction-reporting errors, 20.6 percent dealt with a situation where sensitive customer data has been breached through third-parties, and 10.3 percent lost revenue.
We’d be happy to discuss how your organization is taking on the rising risk of third-party access to infrastructure, data, applications and systems, and demonstrate how Ironsphere’s PAM approach is designed specifically to deal with this challenge: with agility, flexibility and a cost-effective solution.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.