More than half of the companies (51%) have suffered from a third-party data breach, the new report said.
New research from the Ponemon Institute and SecureLink argues that it is mostly the fault of victims because these organizations do not take appropriate measures to protect themselves and often use a “finger cross” approach to third-party risk management.
As a result, they expose their networks to both security and non-compliance risks, and that shows – almost half (44%) have suffered a breach in the last 12 months. Of that, three-quarters (74%) said it came after it had given too much privileged access to third parties.
Going deeper into what companies are doing wrong, the report says many outsource critical business processes to third parties without properly evaluating their security and privacy practices. While many companies see third-party remote access as a security threat, they do not prioritize it.
Third party attacks
Third-party data breaches can be devastating to the victim and all other parties involved. For example, last year, a malicious operator used an email account from Canon Electric Process Services, a supplier from General Electric (GE). Through the account, the attackers received valuable and sensitive information about GE employees, such as bank account numbers and passport numbers.
SolarWinds was another third party whose software was used to access dozens of large corporations and U.S. government organizations. One of the most well-known most devastating supply chain attacks in recent history (allegedly Russian, state-sponsored), malicious operators used stolen Microsoft 365 accounts to compromise SolarWinds ’network and hid malicious code in a future Orion system patch.
The patch was later downloaded by more than 33,000 organizations and companies around the world. The Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Safety Administration, the Department of Finance as well as Microsoft, Cisco, Intel and Deloitte are just some of the organizations that were attacked.