The level of interconnection in today’s digital ecosystem has created tremendous opportunities for organizations to work together by extending capabilities and sharing data. However, having an interwoven ecosystem — of service providers, contact centers, distributors, licensees, joint ventures and other third parties — has created a much larger flank allowing attackers to skirt around security measures by targeting less secure connections among third parties. For example, recent security breaches that affected Target and Yahoo prove how dangerous unsecured third parties can be and that an organization can be blamed for security vulnerabilities it had little to do with.
|Suits The C-Suite — By Conrad Allan M. Alviz: “The Green Path: the road to sustainable development” Suits The C-Suite — By J. Carlitos G. Cruz: “Sharing is thriving” Six ways to wear suits with sneakers Suits The C-Suite — By Cirilo P. Noel: “Thoughts on being a steward” Suits The C-Suite — By Vicky Lee-Salas: “Overcoming uncertainty in the banking industry”|
In the Philippines, the third-party problem is real. Security risks can come from vendors that use poorly conceived, insecure business processes to manage systems. For example, service providers may connect through remote backdoor access for maintaining and supporting their clients’ internal systems. In some cases, service providers would use software that is no longer supported, full of vulnerabilities and impractical to patch. Vendors could also be using administrative passwords in systems installed at all their customers’ sites. And there could be instances when contact center agents put sticky notes around their cubicles with passwords to the organization’s systems or customers’ credit card information and personal information.
These situations may sound dismal but third-party service providers are not entirely to be blamed for this mess. Due to dynamic business requirements, speed-to-market pressures and a highly competitive environment, organizations simply purchase third-party services and software with operational benefits in mind while neglecting security and data privacy. We have seen organizations that do not pay close attention during contract negotiations. Some agreements do not even clearly identify who is responsible for safeguarding the organization’s information or notifying the organization in case of a data breach.
Organizations only realize the broken trust after a vendor’s fraudulent or unsecured activities are uncovered, like when a customer informs the organization that his or her personal information has been used for some dubious activity, or when management salaries are suddenly shared inappropriately.
The EY Global Information Security Survey 2016-17 confirms that third-party risk management is a major area of risk which is often overlooked, as evidenced by the following findings:
• 68% of respondents disclosed that they would not increase their information security spending even if a supplier was attacked — even though a supplier may provide attackers with a direct route into the organization.