More than half of businesses (51%) have suffered a data breach that was caused by a third party, a new report has claimed.
New research from the Ponemon Institute and SecureLink claims it’s mostly the victims’ fault, as these organizations fail to take appropriate measures to protect themselves, and often take the “fingers crossed” approach to third-party risk management.
As a result, they’re exposing their networks to both security, and non-compliance risks, and it shows – with almost half (44%) suffering a breach within the last 12 months. Of that number, three-quarters (74%) said it came after giving too much privileged access to third parties.
Going deeper on what businesses are doing wrong, the report says many are outsourcing critical business processes to third parties without properly assessing their security and privacy practices. Even though many businesses see third-party remote access as a security threat, they’re not prioritizing it.
Third-party attacks
Third-party data breaches can be devastating for the victim, and everyone else involved. Last year, for example, a malicious actor accessed an email account of Canon Business Process Services, General Electric’s (GE) vendor. Through the account, the attackers were able to obtain valuable and sensitive data on GE employees, such as bank account numbers and passport numbers.
SolarWinds was another third party whose software was used to get to dozens of large corporations and US government organizations. In what’s known as one of the most devastating supply-chain attacks in recent history, (allegedly Russian, state-sponsored) malicious actors used stolen Microsoft 365 accounts to compromise SolarWinds’ network and slip in malicious code into an upcoming patch for its Orion system.
The patch was later downloaded by more than 33,000 organizations and corporations around the world. The Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, the Treasury, as well as Microsoft, Cisco, Intel, and Deloitte, are just some of the organizations that fell victim to the attack.
Via: VentureBeat
