Why third-party providers pose a security risk to organizations

A dependency on third-party cloud and hosting providers leaves businesses more vulnerable to potential cyber threats, according to RiskRecon and the Cyentia Institute.

Why vendors can increase your company's cybersecurity risk profile Often data breaches and cyber-attacks target companies and access sensitive information using third-party vendors, says Jenny Soubra, head of cybersecurity for Allianz.

Businesses increasingly rely on third parties to host their data, infrastructure, and other important assets. But this external exposure presents a threat to companies, as the security of third-party providers is often not as well managed as their own internal security, according to a study released Tuesday by security assessment firm RiskRecon and security researcher Cyentia Institute.

Commissioned by RiskRecon, the Internet Risk Surface Report: Exposure in a Hyper-Connected World study is based on data provided by RiskRecon to the Cyentia Institute for analysis. Using an anonymized sample from RiskRecon's own third-party risk assessment database, the dataset contains sanitized information on 18,000 different organizations with more than 5 million hosts across more than 200 countries.

SEE: Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic)

Among the organizations examined in the study, 84% host critical or sensitive information with third-party providers. Some 27% host assets with at least 10 different external providers. The third-party providers include a mix of cloud providers, content delivery networks, DNS providers, telecommunications services, and more. Across all those, RiskRecon identified more than 32 million security issues of varying severity.

Overall, organizations were three times as likely to have high-value assets with severe security issues hosted externally versus those in-house. Some 35% of organizations were found to have high or critical vulnerabilities in data and assets hosted with external providers, putting those companies at risk for breaches, accidents, and the possible misuse of data.

Further, 32% of organizations host their data with providers in foreign countries. Hosts in East Asian and Eastern European countries had an almost 400% higher rate of severe security vulnerabilities than did those across North America and Western Europe.

The typical company analyzed in the study maintains 22 Internet-facing hosts, but some of the firms were discovered with more than 100,000 such hosts. Some 57% of organizations have hosts spread out across multiple countries, with 6% discovered across 10 or more countries. Some 20% of the Internet-facing assets owned by organizations in the study were found to have highly sensitive data or functions.

"Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations, or your regulatory compliance is at risk," RiskRecon CEO and co-founder Kelly White said in a press release. "The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face."

Also see

istock-466219372.jpg
Image: iStockphoto/weerapatkiatdumrong

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books—one on Windows and another on LinkedIn.