Survey: Partnerships increase security risks

Three-quarters of businesses and government agencies said they believe having partners increases the chances of an information security breach, but less than 50 percent said they evaluate their partners’ security.

Many organizations and agencies have internal compliance mandates and security audits, but they do not have a programmatic way of assessing the security of their external networks, which includes those of their partners, said Peter Tippett, Cybertrust’s chief technology officer, in a statement accompanying the survey.

Nearly three-quarters of businesses and government agencies believe having partners increases the chances of an information security breach, and 13 percent said they have terminated a partnership because of security concerns, a new survey found.

Cybertrust, a global information security consulting company, conducted the survey of more than 200 organizations worldwide. More than 8 percent of the organizations were government agencies.

According to the findings, organizations overwhelmingly agree on the need to monitor their business partners’ security, but less than 50 percent said they do so. Organizations that do assess their partners’ security are three times less likely to experience security breaches.

One-third of respondents reported at least one security incident involving business partners in the previous year. Malicious code was the most prevalent at 43 percent, followed by:

  • Unauthorized network access, 27 percent.
  • Denial-of-service attacks, 9 percent.
  • System abuse or misuse, 8 percent.
  • Data theft, 7 percent.
  • Fraud, 6 percent.

“Without this awareness, organizations continue to leave themselves open to financial and legal risks, as well as brand implications,” he said.

Although 91 percent of respondents said senior managers should make information security a moderate to high priority, about 50 percent said they believe their managers give it low priority or none at all.

When respondents were asked how often they assess the security of their partners’ information systems, about half said never or were not sure. Nineteen percent said they conducted assessments only prior to forming the partnership.

For those organizations that conduct security assessments, the predominant method was a simple informal agreement, accepting the partner's promise that its systems were secure. Formal written agreements ranked a close second, while a few reported using such measures as questionnaires, light scans and third-party audits.

The report, “Risky Business: Information Security in the Extended Enterprise,” can be downloaded free by clicking on “Risky Business.”