One of the weakest links in an organization’s IT security may be the most obvious: The telecom provider.
That’s one of the implications of a report issued Tuesday by security vendor Skyhigh Networks, which examined the vulnerabilities online partners open up to their unwitting customers.
“The industry with the largest percentage of high-risk businesses is telecommunications, with 30.4 per cent companies rated as high-risk,” says the report.
Twenty-eight per cent of agriculture and mining companies are high-risk, followed by 21 per cent of construction and real estate companies, which includes heating and ventilation (HVAC) companies like the one exploited in the estimated US$148 million Target stores breach to compromise the retailer’s data and systems.
The study examined partners (everyone from service providers to suppliers, including SaaS services such as Office 365, WebEx, Box and others) used by 17 million cloud users (15 million last year).
Risk was judged by using attributes like compromised accounts for sale online, the number of machines infected with malware, and the presence of unpatched vulnerabilities such as Heartbleed and POODLE.
Overall, Skyhigh estimates eight per cent of partners are a high cyber security risk to the companies they deal with due to the potential for compromise. Thirty-seven per cent ar e low-risk from a cyber security standpoint.
Of those high-risk companies, the report said at the time of the survey all had systems still vulnerable to the POODLE vulnerability in SSL, six months after it was discovered.
There were other potential alarming discoveries:
–an unnamed advertising agency with 1,565 compromised identities available for sale across 29 darknet sites. The darknet is another word for the underground Intenet where stolen data and malware are trafficked;
— a company that provides technology for the financial services industry that has 1,216 compromised identities across 19 darknet sites;
–an airline with 209 machines infected with malware, and 9,716 compromised identities across 106 darknet sites;
–a heating and cooling company (different from the one in the Target breach) with 444 compromised identities across 15 sites.
The report is another reason for organizations to ensure that their partners use the latest security techniques, including two-factor authorization.