Soha Systems released a report based on a survey conducted by the newly formed Soha Third-Party Advisory Group, which consists of security and IT experts from Aberdeen Group, Akamai, Assurant, BrightPoint Security, CKure Consulting, Hunt Business Intelligence, PwC, and Symantec.
The report, which surveyed over 200 IT and security C-Level executives, directors and managers at enterprise-level companies, revealed four key insights:
- Third-party access is not an IT priority, yet it is a major source of data breaches
- Respondents believe their own organizations are secure from third-party data breaches but think their competitors are vulnerable to them
- Providing third-party access is complex and tedious, and has many moving parts
- IT professionals take data breaches personally but are not worried about losing their jobs due to a breach.
Third-party access is not an IT priority
While third parties cause or are implicated in 63 percent of all data breaches, a disproportionately small 2 percent of respondents consider third-party access their top priority in terms of IT initiatives and budget allocation. While they do not see it as a priority, enabling third-party access is an ongoing challenge; 75 percent of respondents said it requires them to touch numerous network and application hardware and software components.
“The results of our survey highlight the disconnect between IT priorities and the urgent need to mitigate third-party data breaches,” said Mark Carrizosa, CISO and VP of security at Soha Systems. “The survey shows enterprises have vastly underestimated the resources required to deal with such breaches, even as their need to provide secure third-party access continue to grow.”
Breaches happen: Just not to our company
Even with all of the recent third-party breaches involving such notable brand names as CVS, Samsung, American Express and Experian, the survey reveals IT executives continue to believe that security breaches are something that happen to competitors’ organizations, not theirs.
While 62 percent of respondents do not expect their organization to be the target of a serious data breach due to third-party access, 79 percent expect their competitors will suffer a serious data breach in the future. And while the respondents did not believe their organizations were vulnerable to an attack through third parties, 56 percent had strong concerns about their ability to control and/or secure their own third-party access.
“For business reasons, organizations are increasingly providing third parties with access to their IT infrastructure, but IT and security leaders really need to help their business leaders understand the risks of third-party access and take steps to help manage these risks to an acceptable level,” said Derek Brink, vice president and research fellow at Aberdeen Group. “The Advisory Group put together by Soha aims to contribute to this important problem by developing a set of best practices and recommendations to be shared later this year.”
Providing third-party access is complex and tedious, and has many moving parts
In addition to not making third-party access security a priority, most of those polled felt that providing third-party access was a complex and tedious process. The survey revealed the following issues:
- IT needs to touch 5 to 14 network and application hardware and software components to provide third-party access
- According to 55 percent of respondents, providing third-party access to new supply-chain partners or others was a “Complex IT Project” and, on average, they have to touch 4.6 devices, such as VPN, firewalls, directories and more. Forty percent described the process as tedious or painful, and 48 percent described it as an ongoing annoyance.
Third-party access is not something that will go away; 48 percent of respondents saw third-party access grow over the past three years, and 40 percent said they see growth continuing over the next three years.
“In a world of applications spread across public and private clouds and accessed by external users who are not your employees using devices you do not manage, providing secure third-party access is a very difficult problem,” said Nico Popp, senior vice president, information protection at Symantec. “It takes a long time for IT to work through the moving parts. In fact, the lack of centralized control makes it virtually impossible for IT to govern and secure third-party access today.”
IT pros take data breaches personally but are not worried about losing their jobs
The survey also asked IT professionals, “If a data breach occurred in your area of responsibility, would you feel personally responsible?” Interestingly, 53 percent of respondents said they would because they felt it would reflect poorly on their job performance; however, only 8 percent thought they might lose their job if a data breach occurred during their watch.
IT professionals take their jobs seriously. But it is unclear who is held accountable for data breaches and how this ambiguity might affect attitudes and behavior when it comes to ensuring that organizations are safe from outside threats.
Advisory group formed to address third-party secure access
As the survey data clearly shows, the divide between IT priorities and the need to mitigate third-party data breaches is a serious problem that affects all industry segments. To help determine why this has been such ongoing problem, Soha formed the Advisory Group to act as a conduit for ongoing research — including this most recent IT survey — and to establish future guides for ongoing best-practice recommendations on the topic of third-party access.
The Advisory Group features a number of security professionals, analysts and industry influencers, including the group’s chairman, Mark Carrizosa. Mark is Soha’s chief information security officer and vice president of security; he joined Soha in 2015 from Walmart, where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Mark was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems.
Additional advisory group members include Derek Brink, vice president and research fellow at Aberdeen Group; Andy Champagne, VP and CTO at Akamai Labs; Steve Hunt, principal consultant at Hunt Business Intelligence; Slava Kavsan, founder and CEO at CKure Consulting; Mike Kotnour, senior information security advisor at Assurant Solutions, a business segment of Assurant, Inc.; Shahed Latif, principal in the cybersecurity and privacy practice at PwC; Ajay Nigam, senior vice president products at BrightPoint Security; and Nico Popp, senior vice president, information protection, at Symantec. The group’s next survey and recommendations are scheduled for Fall 2016.