Organizations are experiencing an increase in third-party attacks as they struggle to find suitable security solutions, according to a report from SecureLink and the Ponemon Institute.
The survey of 632 IT and security professionals found 54% of organizations experienced a cyberattack in the last 12 months, while three-quarters of respondents said they've seen a "significant increase" in security incidents.
The most common incidents resulted from:
- credential theft
- lost or stolen devices
Compounding the issue are limited cybersecurity budgets; a lack of access monitoring, including for confidential data; and continued resistance to security automation, which results in time-consuming manual monitoring procedures, the report found.
Joel Burleson-Davis, CTO at SecureLink, said while increasing cyberattacks is concerning (up 5% compared with last year), the most worrisome statistic is that only 36% of organizations have visibility into the level of access and permissions both internal and external users have.
"Access is everything in modern-day cybersecurity, so if organizations are unable to see what their users are accessing, they're basically leaving their doors unlocked and inviting bad actors to come in and steal the valuables," he explained. "Knowledge is power, and if organizations don't have the knowledge when it comes to their own users — be it internal or third-party users — there's no way for them to gain control over their own access points and critical assets or employ a comprehensive cybersecurity strategy."
Burleson-Davis warns that if the above statistic doesn't change, then the number of cyberattacks will keep increasing year after year as attackers take advantage of those blind spots.
"In this case, the biggest driver of third-party attacks is pure inaction by organizations," he said.
According to the survey, 70% of organizations said a third-party breach came from giving that third party too much access.
Meanwhile, 51% of organizations don't have a comprehensive inventory of all third parties with access to its network, and 67% feel managing third-party permissions and identities is overwhelming and a drain on internal resources.
"It's this inaction that has led to cyberattackers realizing how easy it is to 'breach one, hack many' through third parties, which is why it's happening again and again," Burleson-Davis said.
Rein In Third-Party Attacks by Reining In Third Parties
From Burleson-Davis' perspective, organizations need to regain control of their third parties.
That starts with managing their access up front — how they log in, what they have access to, what those users look like — and then actively managing that access through controls and, simply, more visibility.
"Yes, it might take more resources and cost up front to build out a proactive strategy, but it's much more effective and efficient than dealing with the aftermath of a third-party attack," Burleson-Davis said.
He added that it's a misnomer that cyberattacks only affect the cyber, or IT, parts of an organization.
"In today's age where every aspect of an organization is online, running cloud-based software for OT, and relying on interconnectivity, a cyberattack could take down every aspect of a business," he explained.
Burleson-Davis used the example of a hospital that is attacked and finds its EMR system held ransom — which has and does continue to happen.
This results in doctors being unable to access medical records to diagnose patients, nurses being unable to see what medicines they are supposed to give their patients, and surgeries being canceled because surgeons have no idea what they are operating on.
"If that hospital decides to pay the ransom, now that's a burden on the finances, and the financial team, not to mention the time and money to clean up after an attack," Burleson-Davis said. "Every user is affected, and unfortunately, these kinds of attacks often have dire consequences."
Looking Past the Perimeter to Curb Third-Party Attacks
Organizations are starting to shift their strategies into one that is more holistic and looks more at access and individual assets instead of just the perimeter, according to Burleson-Davis.
"But as the rise in cyberattacks shows, they need to make big leaps, not small steps," he said. "Automation can save a ton of time and money, especially for large organizations, and many automated solutions are built to work with others so organizations can manage both internal and external users as well as implement those fine-grained controls, like multi-factor authentication, while gaining visibility and auditing capabilities."
Burleson-Davis said there are three broad steps all organizations should take.
First up is an investment in proactive solutions, followed by getting a grip on who is accessing what (both internally and externally), including what kind of governance and controls should be in place for your organization.
"Third, you need to be utilizing new technologies and solutions like machine learning, instead of relying on older solutions or even manual access management," he said.