Enterprises Seek Third-Party Compliance with Security Requirements

A recent survey of 106 IT security and risk management decision-makers found that 79 percent of respondents said ensuring that business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months.

The survey, commissioned by BitSight Technologies and conducted by Forrester Consulting, also found that 78 percent of respondents said complying with security requirements placed upon them by business parties was a top IT security priority.

When asked what third-party security information they would see value in monitoring, 68 percent of respondents said they wanted to know third-party threat and vulnerability management practices, 67 percent said third-party encryption policies and procedures, 66 percent said security incidence response processes, and 64 percent said threat intelligence practices.

Still, only 37 percent said they track any of those metrics on at least a monthly basis.

Forrester Research separately found that IT departments at enterprises in the U.S., U.K., France and Germany allocated 21 percent of their over IT spending to third parties in 2014.

And according to the Q3 2013 Forrester Forrsights Services Survey, when asked which types of supplier-related risks they were most interested in tracking and managing, 63 percent of respondents said the risk of losing or exposing critical company data, 62 said the threat of cyber attacks, and 52 percent said the risk of intellectual property theft.

“The supply chain has become a cyber security minefield for companies, as we’ve seen with breaches caused by third party vendors at Target, Neiman Marcus, Goodwill, Home Depot and many more,” BitSight CTO and co-founder Stephen Boyer said in a statement.

Those breaches continue to happen on a regular basis. Texas’ Lone Star Circle of Care (LSCC) recently announced that 8,700 people’s personal information was exposed when the third-party provider that maintains LSCC’s website mistakenly placed a backup file containing the data on the website itself.

The backup file contained information submitted with patient appointment requests, prescription refill requests and other inquiries, including names, mailing addresses, email addresses or phone numbers, birthdates, and in some cases medical queries, services requested, or specific diagnoses and treatment details.

The file was accessible in a publicly accessible folder on the site from July 31, 2014 to January 9, 2015. “Unfortunately, forensic analysis shows that unauthorized individuals downloaded the file before we were able to remove it from our website,” LSCC stated.

A recent eSecurity Planet article looked at several ways of minimizing the risks introduced by working with third-party vendors.

“If you have vendors accessing your data for any reason, make sure you can control, monitor and audit what they are doing,” HyTrust vice president Michele Borovac told eSecurity Planet.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles