Companies may be happy to use vendors for a wide range of service that they do not have the resources or skills to conduct in-house, but the vendor data security risk could be considerable, according to a new report issued by security firm Bomgar.
Furthermore, the number of third party vendors used by an average firm has grown substantially in recent years. Bomgar determined that on average 89 separate vendors are accessing company networks every week. With such high volumes of third party companies being given access to corporate networks, data breach risk is high. Especially considering the lack of security controls in place at many companies.
Numerous companies have reported suffering a data breach as a direct result of granting vendors access to their networks. The survey conducted by Bomgar asked 608 IT decision makers from the United States, UK, Germany, and France about vendor access to their networks and IT security. 69% of respondents said their organization had either definitely or probably experienced a vendor-related data breach.
The situation is likely to get much worse. When asked whether reliance on third party vendors would increase over the course of the next two years, three quarters of respondents said that it would. It is not only the vendors employed by organizations that are the problem. In many cases, vendors have vendors and subcontract certain tasks to other companies. 72% of respondents said this was the case, increasing vendor security risk further.
Poor Vendor Data Security Could Lead to a Data Breach
The survey also revealed that only 35% of companies could say with any degree of certainty exactly how many vendors were able to access their networks. Just 34% of companies could tell how many logins had been issued to their vendors. This suggests the majority of companies are exercising poor network access control.
Many organizations are leaving their organization wide open to a vendor-related data breach. The potential for damage is considerable. Rather than limiting network privileges for vendors, 44% of companies said that when it comes to network access they tend to use an all or nothing approach. Rather than limiting data access to the minimum necessary requirement for a task to be performed, full access is granted.
The survey results show that many companies may be underestimating vendor data security risk. 92% of respondents said they trusted their vendors completely or at least most of the time. That said, when asked if they trust vendors too much just over two thirds said yes.
While the Bomgar study appears to show overwhelming trust in security vendors, a separate study conducted by the Ponemon Institute revealed that in the United States trust in vendors is much lower, at least when it comes to reporting security breaches.
The Ponemon survey was conducted on 598 individuals across a range of organizations. Respondents were familiar with vendor data security risk management at their respective organizations.
37% of respondents said they believed their primary vendors would not notify them if a breach of confidential or sensitive data occurred. For subcontractors used by third-party vendors, trust was even lower. 73% said they did not think they would be informed of a breach if it occurred.
Organizations may implement robust security defenses to prevent direct network attacks, but if they fail to ensure their vendors are exercising appropriate data security controls and do not keep tabs on who has access to their network, data breaches are likely to occur.