IT professionals would rather manage external threats than worry about insiders, a recent survey by Soha finds. But singular focus when it comes to security can end up being a costly mistake.
Data breaches have become so common that it’s easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like haveibeenpwned.com list dozens of breaches affecting high-profile websites.
Almost anyone active online for a few years is likely to have received multiple breach notifications. So many businesses get hacked or reveal data through inattention that the details become a blur.
The potential threat posed by insiders is well known, even if employees, contractors, and partners don’t represent the most significant threat vector. According to Verizon’s 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.
Privacy Rights Clearinghouse’s database of data breaches suggests a relatively small percentage of breaches happened as a result of insiders: 13 out of 229 listed from 2015. Since the cause of many breaches is not publicly known, insider involvement could be greater.
Perhaps because so many attacks come from the outside, IT executives don’t show much concern about the risk associated with third-party access to secure systems. Soha Systems, a provider of enterprise access management services, recently conducted an online survey of 219 IT professionals in the US, and found that only 2% of them saw third-party access as a top priority in terms of IT initiatives and budget allocation.
[See 7 Ways Cloud Computing Propels IT Security.]
That’s not entirely surprising. As a police force isn’t likely to see its own people as its most pressing concern, IT professionals can be expected to look outside their organization and partners before turning their attention inward.
But Soha suggests more attention should be directed inwardly because “third parties cause or are implicated in 63 percent of all data breaches.” That figure comes from a 2013 Trustwave report: “The majority of Trustwave’s investigations (63%) revealed that a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.”
History has proven that insiders and partners can present problems, as they did for CVS, Samsung, American Express, and Experian.
Soha’s findings perhaps overstate the disinterest of organizations in the security of the companies they work with. A BitSight Technologies Study, conducted by Forrester Consulting from March, 2015, found that third-party security represented a top business concern among enterprises.
Reconciling various vendor-backed studies to reflect the varying security situations faced by each different organization may not be a fruitful endeavor. Apples are not always compared to oranges, so to speak, and there’s a lot of statistical cherry-picking. Try to think of an example of a vendor-backed study that doesn’t justify the company’s product and your thinking cap will run out of batteries. Then there’s the issue of drawing conclusions from what people say in surveys rather than measuring what they actually do. Talk is cheap; implementing better security practices usually isn’t.
But cost isn’t a free pass to do nothing. Here’s a look at why and some of the major findings of Soha’s study. Let us know what you think. What measures does your organization take to stay safe from attacks from outsiders as well as insiders?
It’s Very Important
American Express in March sent out a letter warning cardholders that their account information may have been compromised through a third-party merchant’s systems. Like data breach notices, the letter said, “Protecting the security of our Card Members’ information is very important to us…” If you’ve ever sat on hold while an automated system assured you that “Your call is very important to us,” you probably understand that the word “important” serves as a poor apology.
The insider threat isn’t the most significant threat, according to Verizon’s 2016 Data Breach Investigations Report.
Soha through a spokesperson said in an email, “Regarding the Verizon 2016 Data Breach Report, their questions did not focus specifically on third parties as either the source or gateway to data breaches, making it difficult for us to comment. This does raise one additional point, however, that we did cover in our survey report: The complex nature of managing third party access hinders an organization’s ability to understand the magnitude of the problem.”
Soha points to a May 2016 Ponemon Institute report, “Tone at the Top and Third Party Access,” which found that only 26% of respondents say their evaluation of controls for business partners is effective.
Ultimately, third-party access requires some attention. Insiders can often do more damage than external threats, so ignore the risk at your peril.
Not My Job
But then that’s the crux of the issue. Breaches aren’t seen as a threat to one’s job, despite what happened to Target CIO Beth Jacob in the wake of a major data breach. Soha found that while 53% of respondents would feel personally responsible for a breach in their area of oversight, they didn’t expect to be held professionally responsible.
No Place Like Home
It’s easier to see vulnerability elsewhere than at home. Soha’s survey found 62% of respondents are sold on their own security measures and skeptical of the efforts at other organizations. Yet almost half (48%) saw third-party access increase over the past three years and 40% expected that growth to continue three years into the future. It stands to reason that risk rises in proportion with the potential attack surface. More partners means more potential problems.
Third Party, First Priority
Of course dealing with third-parties can be a hassle. Soha’s findings suggest that IT personnel are reluctant to undertake the potentially laborious task of securing partner access while there’s other work to be done. If only there were some company that offered a way to simplify the process…