Companies in the finance industry supply chain are not meeting the same security standards that finance organizations hold for their own businesses, meaning third-party vendors are putting financial firms at risk.
Cambridge, Mass.-based BitSight in its a new report, “The Buck Stops Where? Assessing the Cybersecurity Performance of the Finance Supply Chain,” found a significant security performance gap existed between finance firms and companies in their supply chain. The mean rating for finance companies was at least 30 points higher than the mean of companies in their supply chain.
While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work needed to close the performance gap between their own organizations and their immediate business ecosystem, Stephen Boyer, co-founder and CTO of BitSight, said. “The findings of this report are not only relevant for the finance sector, but for companies across all industries who share data with and rely upon external business services. Organizations should scrutinize the security culture and controls of their third and fourth parties. Ensuring that your vendor’s systems are up-to-date and that their employees are not engaging in risky peer-to-peer file sharing is one way to reduce immediate third party cyber risk.”
Other key findings include:
- One in five business services organizations in the finance supply chain had at least one desktop on their network running Windows XP or Windows Vista, neither OS supported or patched any longer by Microsoft. Outdated Microsoft systems were the key culprit behind massive WannaCry attacks.
- Companies in the finance industry supply chain with a combined desktop software grade of “B” or lower were more than twice as likely to have had a botnet infection in the past year. Previous BitSight research found that companies with more than 50% percent of out of date desktop operating system or Internet browsers were two to three times more likely to experience a publicly disclosed data breach.
- Peer-to-peer file sharing occurred in less than one percent of finance organizations, but it occurs in over 20% of technology and business services firms in the finance industry supply chain.
- Nearly one in five technology and business services firms in the finance supply chain ran unsupported Windows IIS or Apache on servers. Certain versions of Windows IIS 6 are vulnerable to exploits including “ExplodingCan.”
- High torrent activity, which involves downloading many small bits of files simultaneously from diverse sources, correlated to a higher rate of system compromise as previous BitSight research found. Over 40% of torrented applications contained malicious software.
As part of the study, BitSight researchers evaluated the security posture of more than 5,200 legal, technology (information technology and software providers), and business services (accounting, human resources, management consulting and outsourcing) organizations across the globe, whose security ratings are subject to tracking and monitoring by hundreds of finance firms using the BitSight Security Rating platform. BitSignt noted these industries represent a set of critical vendors and business partners for any organization and the findings help security and risk professionals shape the way they monitor vendors to identify immediate risks that may impact their organization.
As of September 1, 2017, the mean rating of finance companies in this BitSight study was 710. However, the mean ratings for legal organizations, technology firms, and business services firms were 680, 670, and 660 respectively.
Using evidence of security incidents from networks around the world, the BitSight Security Rating Platform applied sophisticated algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. Previous studies from BitSight, independently verified by third parties, showed that companies with a security rating of 500 or lower are almost five times more likely to experience a publicly disclosed breach than companies with a security rating of 700 or higher. Studies also show that organizations with a higher frequency of botnet infections, actual system compromises, experience a higher likelihood of breach.