Remember way back when? Those times where you’d leave your house completely unlocked? Where you weren’t worried about someone breaking in or stealing anything?
Maybe it was because you didn’t really have much you perceived as irreplaceable. Or maybe it was because you didn’t really care about things like that.
But more likely it was because you trusted your neighbors and those in your community to respect boundaries. You’d not heard of any break-ins and never thought it could happen to you.
We’ve been living that ‘old days’ life in cyberspace for years now—in fact, in the past 20 years of running Dynamic Edge, I think a good portion of it was not having to worry about people breaking into network (although being a security guy, I was always thinking about it and finding ways to keep my clients’ data secure).
But those times have changed.
Organizations continue to fall down when it comes to addressing their clear and present cybersecurity risks when it comes to third party partners. It has gotten so bad that 61% of business leaders are unsure if their partners, suppliers, contractors and other outside people accessing their network have access to unauthorized data. If your web hosting company, IT support team, or outsourced accounting firm had access to data they didn’t need or have to see to get their jobs done, would you want them to have it?
In our increasingly connected world, we’re relying on others for business services. I completely get that—I know that my team is delivering services that a ton of local businesses could not afford or would not be able to manage very well if they had to hire complete internal teams to do the work. It’s a necessity in 2019 to have business partners footing some of the load.
But do you really need to give them that much access to your network?
Most organizations—nearly 94% of them actually—don’t even know how much access their third party vendors have on their network. And the majority of organizations (72%) have granted super user privileges to those vendors. Super user means that you have access to virtually everything on a system—that’s pretty much giving them administrative access to all of your sensitive data.
Is this something you are comfortable doing?
Wouldn’t it be better to keep track of who has access to what? Shouldn’t you be kept in the loop on who is able to see your team’s social security numbers, pay scales, proprietary information, or whatever you think is important to keep a close eye on?
What we’ve found is that the majority of vendors—nearly 85 percent actually—don’t even take protecting your data that seriously. These vendors are using weak passwords—often times a lot less secure than the standards that you have in place for your team members.
And these vendors are NOT abiding by the same security standards that you expect—mainly because no one is holding them accountable to a standard!
Is there an industry that is most at risk for vendor security?
To clear answer is NO. Every single industry, every single supply chain, every single partnership is at risk for cybersecurity problems. If you are not keeping watch on who is accessing what on your network or if you are not making sure you aren’t granting your partners too many privileges, you might be putting a lot on the line for no return.
Third parties are becoming a prime target for cybercriminals in 2019. They are looking for low hanging fruit at places that haven’t kept up with security policies—mainly contractors, suppliers and partners.
Think back to some of the major data breaches in the past 10 years. Target’s breach impacting over 70 million people came through a compromised HVAC contractor who had a data connection to the retailer’s electronic billing systems.
Delta and Sears both had major compromises as a result of a defective chatbox platform on their websites.
Ransomware attackers are targeting managed services companies and holding their clients’ data ransom because they aren’t making sure their own security is up to speed (aka, they’re not eating their own dog food!).
No one is immune to cybersecurity. My question to you: are you certain your business is securing its network enough to prevent a third-party-caused breach?