In late December, I warned that third-party risks would be an issue that we had to watch in 2015, and quoted a statement from Steve Durbin, managing director of the Information Security Forum, about this topic.
A newly released study from Forrester and BitSight Technologies found that companies are taking third-party contractors and vendors and their potential security risks very seriously. The study, “Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability,” found that IT and security decision makers are putting a lot more emphasis into learning about contractors, consultants, vendors, and efforts into tracking risk, critical data loss or exposure and the threat of cyber attacks.
It’s easy to understand why third-party security concerns have increased: In so many of the high-profile breaches we’ve seen over the past 18 months, a third-party security breakdown has been, at least partially, to blame. As Stephen Boyer, CTO and co-founder of BitSight Technologies, said in a statement about the study:
The supply chain has become a cyber security minefield for companies, as we’ve seen with breaches caused by third-party vendors at Target, Neiman Marcus, Goodwill, Home Depot and many more. Continuous, data-driven monitoring of third-party security vulnerabilities and threats has become essential for effective vendor risk management.
And that thinking is what makes another result of the study so baffling and contradictory. While two-thirds of the respondents say third-party security is a top concern, only a little more than a third of them said that they regularly monitor the third party’s security efforts.
Should it be the role of a security professional to keep track of someone else’s security practices? Yes, if it means that their practices, or lack thereof, could put your network and data at risk. After all, as the leadership from Target can tell you from painful experience, if that third party’s security failure results in a breach of your company’s data, it is your company that is going to pay the price.
Security isn’t an area where companies should work in a cocoon or try to keep everything a trade secret. Security has to be a cooperative effort. A third-party contractor should be willing to keep their clients abreast of their security efforts, but you should also be making the effort in return.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba