Fourth party networks put enterprises at risk
We're all aware that sometimes data can be put at risk by third party systems belonging to suppliers. But a new report by security rating company BitSight looks further down the chain at vulnerabilities posed by fourth parties -- the subcontractors of third party vendors.
Changes in the way organizations source their IT have increased their dependency on cloud service providers, web hosting platforms, and other external services. Cyber criminals are recognizing that these outside vendors and subcontractors can often be their best point of entry into many companies.
"As a result of recent high-profile breaches, organizations are aware of the security risks associated with their third-party vendors. We are taking vendor risk analysis one step further by looking not only at third party vendors, but the vendors' vendors as well -- the fourth party," says Stephen Boyer, co-founder and CTO of BitSight Technologies. "Though understanding your entire security ecosystem may seem like a lofty undertaking, appropriate identification, prioritization, and validation, paired with continuous monitoring, can simplify the process and eliminate the potential for a devastating disruption".
Among the report's findings are that the media and entertainment sector could be severely impacted by a service provider outage. Almost 40 percent of companies in this sector use Amazon Web Services as their content delivery network.
Over 31 percent of companies examined in the study are linked to Adobe Systems, which experienced a data breach in 2013. Also more than 13 percent of the aerospace and defense companies observed use IIS 6, indicating that they use Windows Server 2003 -- which is no longer supported by Microsoft.
The report concludes that with the increasing adoption of the public cloud and digital systems, organizations need better awareness of their fourth party engagements and incorporate subcontractor risk into their vendor risk assessments and questionnaires.
More information is available in the full report which can be downloaded from the BitSight website.