Outdated vendor systems leaving finance industry at risk

BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations.

The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st, 2017.

“While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close the performance gap between their own organizations and their immediate business ecosystem,” said Stephen Boyer, CTO of BitSight. “Organizations should scrutinize the security culture and controls of their third and fourth parties. Ensuring that your vendor’s systems are up-to-date and that their employees are not engaging in risky peer-to-peer file sharing is one way to reduce immediate third party cyber risk.”

As part of the study, researchers evaluated the security posture of more than 5,200 legal, technology (information technology and software providers), and business services (accounting, human resources, management consulting and outsourcing) organizations across the globe, whose security ratings are tracked and monitored by hundreds of finance firms using the BitSight Security Rating platform. These industries represent a set of critical vendors and business partners for any organization and the findings are designed to help security and risk professionals shape the way they monitor vendors in order to identify immediate risks that may impact their organization.

The percentage of companies running at least one unsupported instance of Apache or Windows IIS on a server as of July 1st, 2017.

Key findings

A significant security performance gap exists between the Finance firms and companies in their supply chain. The mean rating for finance companies was at least 30 points higher than the mean of companies in their supply chain.

Companies in the finance industry supply chain with a combined desktop software Grade of “B” or lower were more than twice as likely to have had a machine compromise in the past year. Desktop software is graded on the frequency and severity of outdated browsers and operating systems on a company’s network.

One in five business services organizations in the finance supply chain had an instance of Windows XP on their network. Windows XP is no longer supported by Microsoft and generally does not have patches against new cyber risks.

Nearly one in five technology and business services firms in the finance supply chain ran unsupported Windows IIS or Apache on servers Certain versions of Windows IIS 6 are vulnerable to exploits including ExplodingCan.

Peer-to-peer file sharing occurs in less than one percent of finance organizations, but it occurs in over 20 percent of technology and business services firms in the finance industry supply chain. High torrent activity correlates to a higher rate of system compromise as previous BitSight research found that over 40 percent of torrented applications contained malicious software.