Survey: Partnerships increase security risks

Nearly three-quarters of businesses and government agencies believe having partners increases the chances of an information security breach, and 13 percent said they have terminated a partnership because of security concerns, a new survey found.

Cybertrust, a global information security consulting company, conducted the survey of more than 200 organizations worldwide. More than 8 percent of the organizations were government agencies.

According to the findings, organizations overwhelmingly agree on the need to monitor their business partners’ security, but less than 50 percent said they do so. Organizations that do assess their partners’ security are three times less likely to experience security breaches.

One-third of respondents reported at least one security incident involving business partners in the previous year. Malicious code was the most prevalent at 43 percent, followed by:

  • Unauthorized network access, 27 percent.
  • Denial-of-service attacks, 9 percent.
  • System abuse or misuse, 8 percent.
  • Data theft, 7 percent.
  • Fraud, 6 percent.
Many organizations and agencies have internal compliance mandates and security audits, but they do not have a programmatic way of assessing the security of their external networks, which includes those of their partners, said Peter Tippett, Cybertrust’s chief technology officer, in a statement accompanying the survey.

“Without this awareness, organizations continue to leave themselves open to financial and legal risks, as well as brand implications,” he said.

Although 91 percent of respondents said senior managers should make information security a moderate to high priority, about 50 percent said they believe their managers give it low priority or none at all.

When respondents were asked how often they assess the security of their partners’ information systems, about half said never or were not sure. Nineteen percent said they conducted assessments only prior to forming the partnership.

For those organizations that conduct security assessments, the predominant method was a simple informal agreement, accepting the partner's promise that its systems were secure. Formal written agreements ranked a close second, while a few reported using such measures as questionnaires, light scans and third-party audits.

The report, “Risky Business: Information Security in the Extended Enterprise,” can be downloaded free by clicking on “Risky Business.”

About the Author

David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected