“If I ever lose my faith in you”: businesses’ confidence in third-party suppliers decreases

A new survey shows that businesses worldwide increasingly lose their faith in third-party suppliers. The reason? The increasing number of IT security incidents that they cause.

A new survey shows that businesses worldwide increasingly lose their faith in third-party suppliers. The reason? The increasing number of IT security incidents that they cause. The survey conducted by Kaspersky Lab and B2B International found that an average cost of a cyberincident that has occurred due to a third parties’ fault exceeded $3 million for enterprise. For SMBs the average damage is around $67k.

The recent survey showed that up to 37% of companies do not turst their suppliers (4% up compared to the previous year) because of third-party suppliers’ cybersecurity failures and ensuing cyberincidents.

The suppliers were to blame for 18% of cyber-incidents in 2015 so far.

Not unexpected

It’s not exactly an unexpected finding. Large corporations have learnt (sometimes the hard way) the necessity of strong cyberdefenses; storming their front becomes too laborious a task for cybercriminals. So they look for alternative ways to infiltrate the targeted networks and/or retrieve data of interest.

Third party suppliers (and every large entity that has a large network of such satellites) are often smaller companies who tend to be less cautious about getting attacked – and about protecting themselves. So hackers may – and often do – use their infrastructure as leverage for a successful attack on the primary enterprise. Or they can simply gather pieces of the data they have interest in from the “softer targets”. There are APT campaigns targeting only SMBs in place already – check out Grabit, for instance.

This may lead to dire ramifications both for the mainstay and its satellites, unless they take full responsibility for their own protection.

Apparently, SMBs have this problem as well. It is highly recommended, of course, to find out the details of a supplier’s cybersecurity practice, but in fact it may be difficult or outright impossible to do so. The only guaranteed way for both SMBs and enterprises to protect themselves is to have a properly installed defensive perimeter.

Deep echelon

A good defense is multilayered, or, as they say in the military, “deeply echeloned”. Applied to IT, it means a properly segmented corporate network with delineated access to different portions so that only employees entitled to do so have access to specific data. Outsiders’ access, in turn, should be heavily restricted (“guest network”) – so that nothing malicious slips through and gains access to anything important.

Kaspersky Lab offers security solutions to protect all segments of the corporate network. For employees’ mobile devices and virtual workstations we have developed special solutions such as Kaspersky Security for Mobile and Kaspersky Security for Virtualization. In addition to our technological solutions, Kaspersky Lab provides training on information security for employees, including how to minimize the risk of incidents when working with third-party suppliers.

Tips