Third-Party Breaches: Eyeing the Risks

March 27, 2015

BitSight’s Stephen Boyer on the Merits of Continuous Monitoring

By Information Security Media Group, February 17, 2015

Target is the high-profile example, but many organizations have been breached through third-party vulnerabilities. Where are the security gaps, and how can they be filled? BitSight’s Stephen Boyer offers insight.Boyer, CTO and co-founder of BitSight Technologies, sees the Target breach as transformational for the industry. It showed that a CEO could be fired as a direct result of a breach.

“Now what we’re seeing is boards of directors getting much more involved,” Boyer says. “They’re asking questions about cybersecurity performance.”

And they want to know specifically which of your third-party service providers leaves you most vulnerable to a breach.

As organizations examine these relationships, they also increasingly turn to continuous monitoring solutions. “[This movement] is a lot different than typically what has been done in the past, which is ‘how do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?'”

In an interview about data breaches and third-party risks, Boyer discusses:

  • How recent breaches have deeply impacted organizations;
  • Results of a new Forrester survey of third-party risks;
  • How continuous monitoring can help organizations reduce these risks.

Boyer is the CTO, co-founder, and board member of BitSight Technologies. Previously, he has worked at Saperix, Lincoln Lab and Caldera.

Third-Party Risks

TOM FIELD: In the past year, we’ve seen so many high-profile data breaches. I’m thinking about Target, but certainly that there were others, and they resulted because of third-party vulnerabilities. As I talk with security leaders, I certainly hear their frustration in trying to mitigate something that they can’t control and to prepare their organizations to respond to an incident that really doesn’t happen on their purview. Does that match what you’ve seen in the past year as well?

STEPHEN BOYER: Absolutely. I think you articulated it really well. It has been very transformational over the last year. I would say the Target breach, having the CEO let go from that, has really been a transformational event for the industry. Now what we see is that boards of directors are becoming much more involved. They’re asking questions around cybersecurity performance and also wondering how we are doing with respect to our supply chain and our third parties in trying to mitigate those risks. That’s moving up to the board level.

Additionally, what we’re also seeing is risk transfer options. Companies realize that even if they invest heavily in security and train their staff, there’s always some risk or some threat that they can’t account for that they want to be able to transfer into cyber-insurance. We’re seeing a growth there.

Then, also, we’re seeing legislators perk up and become much more interested and asking more questions than they previously had been, specifically with respect to third-party risk management.

Impact on Breached Organizations

FIELD: You make a good point. I traveled to a lot of places all over the world in the past year, places where you never will find a Target store, but everybody knows about the Target breach because it resulted in the CEO losing his job. When you look back on Target and some of the other high-profile breaches, what do you see as common threads in terms of the impacts on the organizations that were breached?

BOYER: It really kind of depends on the situation of the company and their industry. But what we’ve seen is that companies have moved to an outsourcing model. For all the variety of efficiencies that exist in terms of cost and capability, they have outsourcing open up their networks and provide data to someone else, and they’ve increased that trust relationship, which has been a very difficult thing to manage and mitigate. “I’m now moving the parameter of my company and I’m extending the enterprise out to a variety of different companies.” That could be somebody who’s providing heating and ventilation; that could be someone else who’s providing some sort of IT services. They all have access into data or into the networks, and those are points of vulnerability.

Survey Findings

FIELD: You just conducted a new survey with Forrester that’s on third-party risks. Can you share with me some of the key findings?

 

Read full article…