The Importance of Third Party Identity
Risk from third-party suppliers is set to rise as many businesses adopt new technologies to increase efficiency without having the capabilities to assess and manage the risks according to industry experts.
“As organizations deploy new technologies, they are outsourcing more to make up for a shortage of in-house skills around things like the internet of things and artificial intelligence,” said Alan Rodger, senior analyst at research firm, Ovum.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before.
The 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor.
According to a 2017 survey conducted by the Ponemon institute,” 56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. That number might be a little low. Only 35 percent of companies had a list of all the third parties they were sharing sensitive information with.”
“Security of the third-parties, such as partners, is a major and widely unaddressed problem nowadays. Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties,” said Ilia Kolochenko, CEO of High-Tech Bridge, “Cyber criminals won’t assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels.”
The problem is world-wide. “Almost three-quarters of respondents don’t comprehensively analyze how third-party relationships effect their overall cyber security planning”, according to the findings of a new study from Scalar Decisions Inc. of more than 420 Canadian IT and security workers.
With the introduction of the EU GDPR coming in May, the risk of heavy fines will be hanging over those organizations who fail to protect themselves appropriately against breaches, meaning that robust cybersecurity measures must be an absolute priority for today’s businesses.
SailPoint and SecZetta
A recent SailPoint report found “the contractor workforce is an enterprise blind spot: The surge in freelancers, contract workers and other third parties that make up today’s diverse workforce presents a significant challenge for organizations as it relates to managing identities and their access. Half (46%) of respondents are concerned with the threat that contractors may pose to their organization, with 70% admitting they don’t have full visibility into the access contractors have to corporate systems and the sensitive data that lies within.” The challenge lies with the processes and systems in place to effectively manage this population. We are not talking about freelance and procurement tools for finding and hiring, or IGA systems that grant and govern access, we are talking about managing the information about the individuals such as the relationship(s), information, reporting, management, and perhaps most importantly RISK of the individuals (identities). There is no HR system built to address the complexities of managing third parties which is why so many companies struggle to address this risky population and why the percentages of breaches caused by third parties is so high.
As a member of SailPoint’s Identity+ Alliance, SecZetta offers a Third-Party Identity Risk Management suite specifically created for this critical challenge. SecZetta allows customers to manage and control the full lifecycle of non-employee identities before granting and governing access. If you are having issues with 3rd Party Identity risk, please download our latest solution brief: SecZetta and SailPoint: Streamlining Third-party Identity Risk, Lifecycle & Access.