Supplier and third party access to their corporate network was named in a survey by Skybox Security, by 40 percent of OT security decision makers, as one of the three most serious security threats to an organization – what can be done about it?
Ami Ben-Doror, Vice President of Information Systems and Head of Information Security at SkyTex Security.Photo: Anat Landau, Farm 8
company research Skybox Security (Skybox Security) Israel found that 40% of OT security decision makers rated third-party providers’ access to their corporate network as one of the three most serious security threats to the organization. Surprisingly, less than half of the respondents said that their organization applies to third party entities a binding policy to manage their access to the organization’s operating systems (OT).
In most cases, organizations do not adequately assess the severity of the threats posed by third party providers. Many third-party security issues can be disruptive, putting employee and customer data along with financial and operational information at high risk.
This is a surprising, even embarrassing number, but it stems from a more fundamental problem: organizations simply don’t know how effective their current access policies are. Moreover, organizations do not have a clear view of the movement of data through their infrastructure, so implementing the principles of network segmentation that will allow secure and managed access becomes a huge challenge for them.
In the absence of the ability to segment (segmentation) and gain full visibility, sub-systems in an enterprise OT environment become more vulnerable to malware coming from third-party entities. The risk becomes especially critical when the organization’s partners have a relatively low level of protection, which makes them a “weak link” in its security system. For example, third-party entities may delay installing security updates, or their employees may more easily fall into a phishing trap.
The weak link is used to bypass the security of the organization
Another reason why suppliers and third parties are a “weak link” to the organization is that many attackers prefer to infiltrate or infect vendors, in order to infect the entire supply chain and reach a large number of customers working with the same vendor – such as in cases of Solarwinds (Solarwinds) Inc. Amital in Israel.
The obvious question is what prevents companies from tightening protection against security threats from external parties?
In most cases, organizations do not adequately assess the severity of the threats posed by third party providers. Many third-party security issues can be disruptive, exposing employee and customer data to a high degree of risk, as well as financial and operational information — all exposed to the organization’s supply chain and to third parties, who have access to the organization’s systems.
Today, companies sometimes work with hundreds of different vendors, each with agents and subcontractors. Third party risks can arise at any time in such a wide network.
The new report supports this, as it shows that 78% of OT security decision makers said the complexity of working with multiple vendors is a challenge to achieving full visibility of the enterprise attack surface.
Seeds of Disaster: A Gap in Security Expectations with Third Party Providers
Many companies are unable to track and cross-reference vendor risk with their own security policies and internal credentials, in part due to a failure to pass these policies on to third parties. In this case, there may be a security gap between the parties, which will impair the ability of third parties to ensure compliance with the customer’s security standards. The major challenge stems from the fact that suppliers do not take full responsibility for the risks arising from their services. And if that’s not enough, many companies outsource the management of their operating systems to third parties, which creates an extra layer of risk. The situation arises when a third-party OT security management company is responsible for managing OT providers for your organization – this is clearly a recipe for disaster.
The conclusion is that every organization today is vulnerable to attack by vendors and third parties who are, in many cases, the “weakest link”. To manage and control the threat map, and to ensure maximum visibility of the risks to the organization from the supply chain, a security platform should be used that also addresses the policies of third-party entities that connect to the corporate network. It is important to manage and adapt their access credentials to the corporate network according to the rules of firewall and network segmentation. The modern platform will provide policy optimization, attack simulation, visibility and compliance with security standards – which will make it possible to see all access points, perform path analysis and vulnerability to threats. Furthermore, coordinating the organization’s security expectations with the vendors, will ensure that everyone is fully compliant with the organization’s security policy.
The author is Vice President of Information Systems and CISO at Skybox Security.