Outsourced third-party vendors managed the majority of compromised systems for businesses in 2009, and they often introduced the deficiencies fraudsters exploited to access the system, according to data from Trustwave, a Chicago-based payment-security firm.
Third-party vendors or their software were responsible for roughly 81% of security incidents or compromise investigations, while the businesses themselves were responsible for roughly 19%, according to Trustwave’s “2010 Global Security Report.”
For its report, Trustwave analyzed data gathered from nearly 1,900 “penetration tests” and more than 200 security incident and compromise investigations in 2009. In a penetration test, Trustwave works with businesses to pinpoint the weaknesses in their systems before a compromise can occur; an incident investigation occurs after someone has hacked into a business’s system.
Many businesses outsource information-technology services to third parties because they do not want to hire in-house staff members to handle it, says Nicholas Percoco, Trustwave senior vice president and head of SpiderLabs, a security team focused on forensics within Trustwave.
“When someone comes to fix [the technology] problems, that’s where we see a lot of the flaws,” says Percoco. “Those third-party organizations are not keeping the bar high.”
Third parties often do not follow security best practices, such as ensuring anti-virus software is up to date and changing default passwords, Percoco says, noting he has seen instances of some third-party vendors using a business’s own name as its security password.
