Third Party Vendors Pose an Outsized Security Threat, Survey Finds

Bomgar_surveyJust 35 percent of IT pros are confident that they know the exact number of vendors accessing their IT systems , according to the results of the new Vendor Vulnerability research report from Bomgar, a provider of secure access solutions. The report finds that third-party vendors can be a significant security risk if their access to IT systems are not managed and monitored correctly.

The new study explores the visibility, control, and management that organizations in the US and Europe have over external parties accessing their IT networks. It also uncovers the level of awareness organizations have over the potential risks – such as cyber-attacks and data breaches – that vendors accessing systems remotely can pose, and looks at the policies and processes organizations have in place to protect themselves, and their third-party vendors, from these issues.

81 percent of survey respondents admitted that high-profile data breaches have increased their awareness of the need for better third-party vendor controls.

Last year’s hack of the federal Office of Personnel Management (OPM), for example, was made possible when hackers obtained a credential used by KeyPoint Government Solutions, a third-party contractor that conducts background investigations of applicants for federal jobs that require a security clearance.

In another example, 2013’s infamous Target data breach started in a similar manner when hackers stole a network login from an HVAC contractor working for Target Corporation.

Despite this increased awareness, just a third (35 percent) or respondents are confident they know the exact number of vendors accessing their IT systems.

The Vendor Vulnerability research reveals that on average 89 third-party vendors access a typical company’s network each week, and that number is likely to grow. Three-quarters (75 percent) of those polled stated the number of third-party vendors used by their organization has increased in the last two years, and 71 percent believe the numbers will continue to increase in the next two years.

The report uncovered a high level of trust in third-party vendors, but a low level of visibility of vendor access to IT systems. 92 percent of respondents say they trust vendors completely or most of the time, although two-thirds (67 percent) admit they tend to trust vendors too much. Astonishingly, only 34 percent knew the number of log-ins to their network attributed to third-party vendors, and 69 percent admitted they had definitely or possibly suffered a security breach resulting from vendor access in the past year.

“Third-party vendors play a vital and growing role in supporting organizations’ systems, applications, and devices. However, they also represent a complex network that many organizations are struggling to appraise and manage correctly,” said Matt Dircks, CEO of Bomgar. “It’s clear from the research that there’s a high level of trust in third-party vendors, but very little visibility or control over what they’re doing when connected to the

company’s network. This combination of dependence, trust, and lack of control has created the ‘perfect storm’ for security breaches across companies of all sizes. If a hacker can compromise and pose as a legitimate vendor, they may have unfettered access to networks for weeks or even months; plenty of time to steal sensitive data or shut down critical systems.”

You can read the report in full here: https://www.bomgar.com/vendorvulnerability

Check out Solutions Review’s all-new 2016 Identity Management Buyer’s Guide, featuring ten questions to ask before purchasing, a full market overview, and detailed profiles of the top 28 IAM  companies and solution backgrounds, key features, and best use cases. Download for free here.

Follow Jeff

Jeff Edwards

Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff