When the term insider threat is mentioned people commonly visualize a malicious employee or an accident-prone worker. These insider threat personas – who may steal company IP to enrich themselves or ignorantly click on a link in a phishing email – are indeed all too familiar.
But a different kind of insider threat risk is often overlooked – third parties. Whether it’s a supplier, an external developer or a service contractor, third parties have access to critical systems in businesses. And most organizations work with a steadily increasing number of third-party vendors.
According to Ponemon Institute, companies share confidential information with 583 third parties on average. That number seems incredible, but here’s the highlight stat. Only 34% of companies keep a comprehensive inventory of their third party vendors.
As companies outsource more of their business to third party providers, their risk profile grows. Three of the largest and most infamous data breaches ever – Target, US Office of Personnel Management (OPM) and DoorDash – began via third parties.
Modern organizations are reliant on third party vendors. Supply chains, partner networks and contractors are important elements of a thriving business. But as third-party access becomes more prolific, it’s increasingly difficult to control vendor access to sensitive information.
Fortunately, many organizations are now aware of the third party data breach problem. A survey that Gurucul conducted at Black Hat USA 2019 revealed that 74% of companies are taking steps to mitigate third party data breaches.
The survey didn’t delve into the specific steps that these companies are taking. But Gurucul customers use our behavior analytics security platform to protect themselves from a wide range of insider threats – including third parties. Our machine learning algorithms compare current behavior of users, including third parties, to baselined “normal” behavior. By doing so, our customers can identify anomalous trends that may be insider threat indicators.
MSPs are the Biggest Threat For Third Party Data Breaches
Are some third party vendors more risky than others? We asked this question in our Black Hat survey and found that Managed Service Providers (MSPs) are the biggest third-party concern amongst IT security professionals. MSPs came out ahead of systems integrators, developers, auditors, and call centers. It makes sense. Businesses are migrating their IT and cybersecurity operations to MSPs. These MSPS usually have privileged access into the businesses’ most critical systems. Knowing what MSPs are doing with that elevated access is crucial to security.
And we can expect this situation to grow more complicated. Gartner predicts that managed and subscription-based security services will account for half of all cybersecurity spending by 2020. As trusted advisers to organizations, MSPs manage end-user systems and IT infrastructures. And, increasingly, they are charged with safeguarding their customers’ IT systems from cyberattacks. However, as they often have a roster of clients, this makes them a prime target for cyberattacks.
It’s a good reminder that the actions of any person or entity who can access a company’s critical systems and applications should be monitored. Any vendor with access to sensitive data might be a potential insider threat, whether maliciously or unintentionally.
Organizations can take steps to defend themselves by investing in modern cybersecurity solutions like User and Entity Behavior Analytics (UEBA). With this technology they can identify potential insider threat behavior before it manifests into a data breach.
Learn More About Defending Against Third Party Insider Threats
In short, securing third party access is one of the best ways to protect against intentional or accidental data breaches. Organizations should strive to gain granular control and insight into the actions of their third-party vendors and contractors.
Learn how Gurucul can help you on this path by downloading the white paper Uncover Insider Threats through Predictive Security Analytics.