
Suppliers cause over 40% of IT security breaches, says NCC Group

More than 40% of corporate IT security breaches are related to third party suppliers, according to newresearch from global information assurance firm, NCC Group.

100 CIOs from companies with over 1000 employees were questioned as to their security practices with third party suppliers, which could range from accountants or lawyers to web designers or software providers. A hefty 76% of those surveyed said that their suppliers had access to their customer data, while 43% of those who had suffered an IT security breach knew that it was due to third parties.

Malicious hackers can exploit weak links in the supplier security chain to harvest customer contact or financial details, which are then used to commit fraud. They can also use third party weaknesses to gain direct access to the clients’ own networks, stealing sensitive data or intellectual property. Last year US military contractor, Lockheed Martin, faced disruption to its computer networks that was linked to the hacking of one of its suppliers, RSA, weeks earlier.

Paul Vlissidis, technical director at NCC Group, comments: “This is a major problem, and one that needs addressing now. Cyber criminals long ago caught onto the fact that third party suppliers can provide an easy route into valuable data, and it’s time for businesses to take serious action to mitigate the risk. Even with maliciousattacks taken out of the equation, a supplier with less meticulous procedures than your own company could cause an accidental breach.”

NCC Group is addressing the grim realities of supply chain security with a new proactive security service, called Supplier Assured.

Supplier Assured draws on NCC Group’s unique breadth and depth of digital and physical security expertise in order to provide a detailed examination of clients’ supply chains. The Supplier Assured team undertakes a detailed audit of suppliers’ security policies and procedures, measuring them against industry best practice standards. On completion, clients receive a management report detailing any identified security issues and recommended actions.

“Supplier Assured has been designed to be a fully managed service,” Paul explains. “Most CIOs appreciate that third party suppliers are a weak link, but the process of auditing every supplier individually can be complex and arduous.”