Nearly three quarters of organisations worldwide feel that business partners increase their levels of information security risk, and 13 percent of organisations have terminated a business partnership due to information security concerns, according to a recent survey of more than 200 organisations worldwide by Cybertrust, the global information security specialist. While organisations overwhelmingly agree with the need to monitor the security of their business partners, fewer than half actually assess partner security. However, the study demonstrated that those organisations that do conduct business partner security assessments experience a more than three-fold reduction in the likelihood of security incidents.
When asked if their organisations had suffered a security incident involving business partners within the previous year, 32 percent of respondents reported at least one type of incident, with an additional 12 percent unsure. Of those organisations reporting incidents, malicious code was the most prevalent, with 43 percent of respondents reporting infections, followed by unauthorised network access (27 percent), denial of service (9 percent), system abuse or misuse (8 percent), data theft (7 percent), and fraud (6 percent).
Organisations resoundingly feel that assessing the information of business partners is a priority – 91 percent of respondents felt that information security relating to business partnerships should be given moderate to high priority by senior management. However, the actual level of priority given by management reflects a different reality. About half of respondents felt that management gives information security no or low priority; the other half felt management placed moderate or high priority on assessing partner security. These findings represent approximately a 45 percent difference between what respondents feel should be done, and what ultimately is done, at their organisations.
When respondents were asked how often they asses the security of their business partners’ information systems, about half responded never, or were not sure. Nineteen percent of respondents conducted assessments only prior to the partnership, with the remaining respondents conducting assessments during the partnership only (7 percent), or both prior to and during the partnership (23 percent). Unfortunately, for those organisations conducting assessments, the predominant method of doing so was a simple informal agreement – accepting the partner’s promise that their systems were secure. Formal written agreements ranked a close second while an elite few employed such measures as questionnaires, light scans and third party audits.
The complete Cybertrust report on business risks to the extended enterprise, “Risky Business: Information Security in the Extended Enterprise”, can be downloaded free of charge.