When it comes to protecting sensitive data, companies often overlook the risks stemming from business partnerships. But the risk is real and growing. Last year, about 39 percent of external breaches were business-partner-related, according to the recent Verizon Data Breach Investigations Supplemental Report. That’s up from “almost none” just a few years ago, says Bryan Sartin, Verizon’s director of investigative response.
Partnership risks are the “fastest growing” data breach trend, he says. Sartin, who conducts computer forensic investigations, says the growth stems mainly from business-support partnerships, as opposed to more formal, business-to-business outsourcing relationships. Such supportive partnerships can include groups of consultants, companies that pick up and store data tapes, and firms that help with IT maintenance and repair.
A growing number of hackers are approaching support-company staff in efforts to buy data such as user names and passwords, Sartin says. “[Hackers] might say to those they approach, ‘If you don’t like your company or are having financial difficulties, we can help.’”
Sartin says he has seen a significant increase in the availability of such data in online criminal marketplaces. User names and passwords can allow criminals to access data with little technical sophistication, he says. And the use of legitimate login credentials can often avoid raising suspicion.
To minimize the risk, companies should take a holistic approach to partnership security and take some immediate steps to strengthen access control policies, say analysts.
(To read the full version of "Watch Your Business Partners" in the March 2010 issue of Security Management, click here.)
♦ Photo by Farruska/Flickr