Trusting the cleaner with the door keys: The risk of third parties to data

The risks created by third party access, connectivity and information sharing through cloud services are very real.

If your office was broken into, you would fear what the intruders might take. Being so concerned about the possibility, you fit all the right locks and alarms and have good door and window security. However, do all the service providers who access your office do the same? If they’re not as security conscious, and they get broken into, the intruders could get hold of the access card or key to your office and then they’re in.

It would be galling because, despite having done all the right things to protect your company’s assets, your defences were still breached. There was a weakness but it wasn’t your security. You gave a vendor the means to access your business to do you a service, and that access was exploited by someone with the skills to take advantage of their weak security.

Yet, it’s not just business’ physical assets which are under threat, data is vulnerable to similar attacks. IT systems and infrastructure might not be compromised by a direct attack but, instead, through access given to a third party vendor.

Points of vulnerability

Vendor vulnerability merits much more attention than it generally gets. This is surprising, because there have been high profile data breaches where cybercriminals have got in through a third party. Target suffered in this way back in 2013; the payment card and personal details of tens of millions of customers were exposed as a result and the financial impact on the US retailer was put at over $160 million.

In the case of Target, it was the fact that the vendor connected to the company’s systems for electronic billing, contract submission and project management that created the opportunity. The hackers were able to move from their point of entry to the lucrative systems where financial and customer information could be obtained.

For many companies, cloud services are increasingly used to connect with third party vendors. The cloud provides many benefits for enterprise collaboration, as well as cost savings and efficiency improvements within the company itself. It has made data sharing outside the company as simple as sharing a public link, or inviting a vendor to collaborate on a document. But with this convenience can come vulnerability.

Visibility and control

It isn’t to say that companies should eschew cloud technology though. Just as they can’t refuse to give contractors access to their physical building when they need it to perform their role. They just have to take the right measures to ensure visibility and control over their cloud use, and thereby safeguard their systems and information.

The importance of this is brought into sharp focus when you consider the scale of cloud usage. According to Skyhigh Networks research, the average European organisation now uses more than 1,000 cloud services and shares documents with 849 external domains. That’s a lot of information accessible by a lot of people. Most notably, over 15 per cent of the documents uploaded to cloud-based file sharing services contain sensitive information. After the Target incident, some commentators suggested that if hackers are persistent enough in their efforts they will eventually get in, and that the battleground has shifted to inside networks. Once the perimeter has been breached, hackers can still be thwarted by being prevented from progressing beyond the entry point. A sort of ‘lose the battle, win the war’ approach.

It’s an uncomfortable thought. In reality, prevention, containment and cure must all be in the security mix, and the battle lines will keep being redrawn. Security tactics and strategy have to stay one step ahead in the fight against cybercrime.

Strength in numbers

A number of high profile technology companies – AirBnB, Uber, Square and Twitter among them – have announced a coalition dedicated to fostering cohesive, collaborative conversations and action around internet security. The new Vendor Security Alliance was formed primarily to address the cyber security risk of business partners.

It is positive progress in the drive to raise and sustain awareness among all companies of the importance of vendor cyber security. Despite the regular news we read of significant data breaches, still not enough is being done to mitigate against such incidents. A report from Price Waterhouse Coopers (PWC) revealed that 90 per cent of large companies suffered some sort of breach last year and that 18 per cent of the single worst breaches they suffered originated from a third party supplier. Despite this, 19 per cent of those surveyed require no compliance with standards or good practice guides by suppliers.

When it comes to cloud services, some companies don’t have a tight enough grip on which are being used to store corporate data, and they can lack sufficient insight into service usage. They need to know how sensitive information in particular is being shared, who with and how those collaborators are accessing it. To mitigate the risk of inappropriate access or use, companies must carry out comprehensive due diligence on cloud services and their providers and with vendors who are able to access their data or systems. Only cloud services that meet stringent security and compliance requirements should be a part of the IT mix and even then encryption needs to be used. At all times activity monitoring has to be in place.

The technology estate in every organisation grows and evolves. Additional applications and services get added and others fall into disuse. For this reason it is naive to think that IT has complete control over services; cloud analytics needs to plug the gap, revealing all cloud services in use, the level of risk they might represent and where any anomalous use is occurring.

The risks created by third party access, connectivity and information sharing through cloud services are real and need to be given just consideration. To enjoy the benefits of collaboration technology, companies need the right security measures in place and must include third parties in their security strategies and regular assessments.

Charlie Howe, VP EMEA, Skyhigh Networks

Image Credit: Yuri Samoilov / Flickr