Third-party breaches

Businesses and organisations are increasingly embracing an outsourcing model for many of their IT functions in order to benefit from significant cost savings and to streamline in-house operations. The globally integrated economy is highly competitive and requires organisations to minimise costs and maximise productivity in order to maintain a competitive edge. Recent research suggests that this trend will continue to increase as the rollout of the NBN makes network connectivity faster and more responsive, and allows better remote-access capabilities.

While there are certainly significant advantages to outsourcing certain IT functions there are also significant security risks, which is why organisations should take specific precautions to make sure the outsourced party is highly experienced in implementing end-to-end cybersecurity strategies. According to the 2013 Trustwave Global Security Report, 63% of the security incidents investigated by Trustwave’s forensic teams in 2012 involved networks in which a major component of IT support was outsourced to a third party. The question you need to ask is, “Is your third-party IT partner opening the door to a fourth-party cybercriminal?” If the answer is yes, then you need to consider how to minimise the risk and establish adequate network defences.

Organisations of all shapes and sizes were affected by security vulnerabilities introduced into their network by a third party, but according to the 2013 Trustwave Global Security Report, small businesses and franchises in the food and beverage and retail industries were the most commonly targeted. The volume of card payments made in these industries makes them a tempting target for cybercriminals and vulnerabilities in their networks increasing their risk of an attack. Many smaller businesses outsource IT support and aren’t aware of the intricacies of their network’s security protocols. Often a third party is only responsible for a certain, small range of security controls and businesses were unaware of where specific responsibilities lie. If your organisation outsources IT functions, it is imperative that you discuss with your third party exactly how network security is being controlled and where responsibility lies. Without this knowledge your organisation is potentially being left unprotected and unprepared for a network attack.

Remote access was the most common method of network infiltration in 2012 because, according to the report:

“Organizations that use third party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”

It is remarkably easy for cybercriminals to identify remote access systems by monitoring IP address activity; and if the network has weak or poor security credentials, it is similarly easy for them to launch an attack.

If your organisation outsources any or all of its IT functions, there are five key issues that you need to address with your third party to assess the security of their processes and thus your network:

1. Does your third party use a remote administration utility that is always on? This is fairly common for large outsourcing providers but is not the most secure way to operate and increases the opportunity for criminals to breach your network.
2. How robust are your remote administration passwords? Many third parties use simple passwords across multiple locations to make remote administration easier to undertake, making life easier for criminals.
3. Are your firewalls properly configured? Weak access controls and the use of ingress filters undermine the effectiveness of a network firewall.
4. What support does your provider offer in the event of a breach? Many third parties distance themselves when a breach occurs so as not to be held responsible. Develop a plan with your third-party provider about how to detect and respond to a breach before it occurs.
5. Does your third party have the most up-to-date software? Many of the investigations Trustwave conducted showed that many providers don’t have the latest patches and updates, leaving their clients vulnerable to attack.

Armed with this information, you will be able to identify security deficiencies, develop sufficient security controls and reduce the risk of a costly and damaging breach. Outsourcing IT functions is a reality in the current economy and is undoubtedly an effective productivity choice. It can also be a risky business decision if security concerns aren’t addressed. A proactive and rigorous approach to security management between yourself and your third party can reduce the risk of a cyberattack to your organisation.