China and Japan amongst those with least knowledge about their partners’ security practices, with the US and Germany amongst those at the top
New research from Accenture’s Technology Vision 2019 report has found that 7 in 10 businesses may be particularly vulnerable to malicious attacks through their ecosystem. Just 29% of business and IT executives globally know how diligently their partners are working regarding security, with 56% relying on trust alone.
This comes despite the fact that this tactic, known as ‘Island Hopping’, is steadily increasing. Indirect attacks of this nature could account for nearly a quarter of the total value at risk from cybercrime over the next five years.
The UK is in the middle of the pack, meeting the global average of 29%. However, figures were amongst the lowest in China and Japan, where just 11% and 14% respectively felt that they knew whether their partners were working diligently to be cyber resilient. Amongst the highest were the US and Germany, at 35% and 30%.
Understanding different cultural approaches to partner security is crucial for companies with complex global supply chains. Hackers are increasingly adept at exploiting third-parties as a route into Fortune 500 companies, which can have hundreds if not thousands of partners each at any given time.
“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days of doing business in this medieval way are well and truly over” said Nick Taylor, Cyber Security lead for Accenture UK. “Now, business structures resemble something more like the London Underground, with thousands of entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organisations.”
Even industries with a more demanding regulatory landscape are struggling to keep track. 57% of respondents in the banking industry report that they simply place their trust in their ecosystem partners.
“Organisations must learn to collaborate on security. This doesn’t just mean with other businesses, but also with governments. Some of the most devastating attacks we’ve seen in recent years have been state-sponsored, which will take a combined effort to combat.” Nick Taylor continued. “With this type of attack on the rise, organisations will surely start to get rid of their weakest links. For those who get it right, security could be a real competitive differentiator and a make or break in deals.”
Organisations should take several fundamental steps as a starting point:
- Collaborate with the community: 87% of executives recognise that they need to rethink their approach to security to defend not just themselves, but also their ecosystems. Netflix is among those leading the open-source security charge, sharing internally developed security tools with the world since 2014.
- Couple security with corporate strategy: Only 38% of businesses report including the chief information security officer when considering new business opportunities. GE, for example, has CISOs assigned to specific regions and business units to help inform decision-making at a more granular level.
- Think creatively about vulnerabilities: Businesses must learn to think like a hacker when threat modelling. A group of hackers made millions from insider information about publicly traded companies—not by attacking the companies themselves, but by targeting the newswire agencies that get early access to press releases from the world’s largest businesses.
- It’s not just a spring clean: Large enterprises have hundreds, if not thousands, of third-party partners going through various stages of on and offboarding. Each has varying levels of network access. Organisations must create a process which allows them to continuously reassess where their vulnerabilities are.