Many organizations are transitioning to digital systems, which has increased the dependency on cloud service providers, web hosting platforms, and other external services. Cyber criminals are recognizing that these outside vendors and subcontractors can often be their best point of entry into many companies.
Single point of failure
BitSight analyzed security ratings of more than 35,000 companies across 22 different industries to uncover the vulnerabilities posed by fourth parties: the subcontractors of third party vendors.
They uncovered the risk associated with single points of failure, where one disruption from a key service provider could result in widespread outages.
Companies within key industries like Media and Entertainment, Healthcare, and Aerospace and Defense often utilize the same fourth party service providers, exposing entire vertical markets to significant outages.
“As a result of recent high-profile breaches, organizations are aware of the security risks associated with their third-party vendors. We are taking vendor risk analysis one step further by looking not only at third party vendors, but the vendors’ vendors as well – the fourth party,” said Stephen Boyer, co-founder and CTO of BitSight Technologies.
“Though understanding your entire security ecosystem may seem like a lofty undertaking, appropriate identification, prioritization, and validation, paired with continuous monitoring, can simplify the process and eliminate the potential for a devastating disruption,” Boyer concluded.
BitSight uses publicly accessible data to rate companies’ security performance on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration, and used to generate objective, accurate, and actionable security ratings.
- The media and entertainment sector could be severely impacted by a service provider outage. Close to 40% of media and entertainment companies use Amazon Web Services as their content delivery network.
- Single points of failure become a reality as organizations and their fourth parties use the same set of service providers. Over 31% of companies examined in this study are linked to Adobe Systems, which experienced a data breach in 2013.
- Aerospace and defense companies could be exposed to serious vulnerabilities as a result of using obsolete software. More than 13% of the aerospace and defense companies observed use IIS 6, indicating that they use Windows Server 2003 (no longer supported by Microsoft).