Third-party code, Risk Assessments/Management, Application security

Third-party breaches persist: What you need to know

Vulnerabilities in third-party software used by open source content management platform Drupal.org allowed attackers access to information on nearly one million accounts. The data included hashed passwords, but not financial information.

Third-party access to data remains a serious security concern for enterprise IT executives.

This, according to research from CyberRisk Alliance showing that in many cases, companies simply cannot keep track of who can access their data and what they can do with it.

More than two thirds of the 204 security practitioners surveyed were sharing internal data with more than 25 partners, and one quarter were handing their internal data over to more than 100 partners.

This reliance on third parties results in significant liabilities when it comes to data breaches. With so many partners having access to internal data, the risk of a serious leak gets taken out of the hands of the original collector and into those of outside parties.

“We had a third-party data breach that caused us reputational damage. We had to get legal involved and communicate to our customers whose data was impacted,” said one respondent. “The dependence of third parties and breaches is a significant impact on our org.”

In many cases the companies responsible for data do not have a clear picture of exactly who has access to what data. Of those surveyed, just 5 percent said they trusted all of their data partners and 24 percent said that fewer than three quarters of their data partners could be trusted to handle their corporate data.

The result is an environment where decision makers lack a clear picture of their data security landscape and even less of an idea of how to properly manage it. When a data breach eventually occurs, companies are left scrambling for an answer.

“An attack happened on one of our cloud service providers, which led to some news reporting associated with our company,” one security professional told CRA in the survey. “Our public relations and our executives had to issue a public statement, and all of the employees had to change their passwords immediately as a precaution.”

Those breaches often turn into serious outages. 45 percent of respondents said that their third-party breaches turned into customer service issues with their own company. In many cases, an oversight by a partner turned into a crisis for the host company.

The sensitivity of the data exposed was also not trivial. IT decision makers say that the most often exposed data was the personal information of customers and employees, followed by internal company data.

As a result, one third of respondents report having experienced a breach resulting in a monetary loss over six figures, and 8 percent have lost more than a million dollars to a data breach caused by a third party.

In some cases, execs say their data loss headaches were caused by partners that had no incentive to properly guard the data they were handling.

“Mostly shadow IT has caused our data to be exfiltrated by employees entering data into third-party software that has no legally binding obligation to keep this data private,” noted one respondent.

IT influencers would be well-advised to look to services and solutions focused on gaining a clear picture on their third-party data policies and enforcing best practices to prevent data breaches.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds