While sorting through the headlines this week and sipping on my morning coffee, I spotted an interesting set of stats from the Ponemon Group on the threat posed by third-party contractors to enterprises. A few of the stats stood out in particular, and confirmed what we already know – the threat is real:
- About seven in 10 respondents believe that third-party risk is increasing or staying the same in their organizations;
- 75% see third-party risks as serious; and perhaps the one most near and dear to my heart given my role at SailPoint,
- An alarming $10 million in the last 12 months has been spent by surveyed organizations on to security incidents coming as a result of negligent or malicious third parties.
What struck me, more so than the stats around the rising threat contractors posed, was how low in priority senior leadership puts the threat of inappropriate access to critical systems and data by third-party contractors. One would think that the cost to respond to security incidents tied directly to contractors would raise visibility of these threats significantly among C-level executives. Equally disconcerting to me: half of organizations surveyed said that their risk assessment of third-parties doesn’t give them visibility into the intellectual property or other highly valuable and sensitive data that contractors may have access to. A breach by a third-party not only has ramifications on data security, but it can also damage the company’s brand – and subsequently the bottom-line – certainly something C-level executives should be concerned about. Just take the Target data breach for example, a prime case of an insider attack from a contractor that made headlines all over the world last year.
While the responsibility for a third-party contractor can be a grey area – especially if contracted through a service provider or vendor – an organization is always responsible for managing and monitoring who has access to their systems. That makes it imperative for organizations to pay much closer attention to the access of contractors.
However, what makes this area of data security such a challenge is finding the right balance between limiting risk and opening up access to sensitive applications and data that a contractor needs to perform his/her job. Unfortunately, there’s no silver bullet solution to this problem, but if enterprises take a layered approach that includes awareness/education, and strong controls, they will be much more secure. In tandem, companies need to proactively monitor and manage contractor’s access privileges, with the goal of limiting access to only what is required to perform a given job.
This brings me to my final point — just like silos in business can impact performance in a number of ways, silos in security can lead to blind spots which can quickly escalate into breaches. To that end, managing third-party access to internal systems should leverage the same identity governance processes an organization leverages for it’s employees, but adjust for the additional risk posed by these types of users. Those organizations that don’t heed this advice put themselves and their business at incredible risk. So yes, the C-level should kindly take note of the risk posed by contractors, if they haven’t already.