Nearly three quarters of organizations worldwide feel that business partners increase their levels of information security risk, and 13 per cent of organizations have terminated a business partnership due to information security concerns, according to a recent survey of more than 200 organizations worldwide by Cybertrust.
Survey respondents overwhelmingly agree with the need to monitor the security of their business partners, fewer than half actually assess partner security. However, the study demonstrated that those organizations that do conduct business partner security assessments experience a more than three-fold reduction in the likelihood of security incidents.
When asked if their organizations had suffered a security incident involving business partners within the previous year, 32 per cent of respondents reported at least one type of incident, with an additional 12 per cent unsure. Of those organizations reporting incidents, malicious code was the most prevalent, with 43 per cent of respondents reporting infections, followed by unauthorized network access (27 per cent), denial of service (9 per cent), system abuse or misuse (8 per cent), data theft (7 per cent), and fraud (6 per cent).
Organizations resoundingly feel that assessing the information of business partners is a priority – 91 per cent of respondents felt that information security relating to business partnerships should be given moderate to high priority by senior management. However, the actual level of priority given by management reflects a different reality.
About half of respondents felt that management gives information security no or low priority; the other half felt management placed moderate or high priority on assessing partner security. These findings represent approximately a 45 per cent difference between what respondents feel should be done, and what ultimately is done, at their organizations.
When respondents were asked how often they asses the security of their business partners´ information systems, about half responded never, or were not sure. Nineteen per cent of respondents conducted assessments only prior to the partnership, with the remaining respondents conducting assessments during the partnership only (7 per cent), or both prior to and during the partnership (23 per cent).
Unfortunately, for those organizations conducting assessments, the predominant method of doing so was a simple informal agreement – accepting the partner´s promise that their systems were secure. Formal written agreements ranked a close second while an elite few employed such measures as questionnaires, light scans and third party audits.
The findings above help to explain why 79 per cent of respondents felt that an independent, objective, reliable and quick metric to assess the security practices of their business partners would be beneficial to their organization. To that end, recognizing the need for organizations to evaluate and assess business partner security risks, in the next month Cybertrust will be launching its Partner Security Program, a comprehensive solution for organizations to manage the compliance of their extended enterprise.