It is well known that the Target breach cost the company $148 million and resulted in the resignation of the company’s CIO and CEO. Less well-known, is the fact that the attackers exploited an unsecured heating and cooling (HVAC) vendor with trusted digital connections to Target in order to circumvent Target’s security defenses. Increasingly, companies connect with business partners via cloud services, and in the wake of Target’s breach, we wanted to examine the scale and risk of these connections. We analyzed partner connections for over 400 companies to assess their cyber risk.
Statistics on cloud-based partner connections
We found that the average company connects with 1,555 business partners via the cloud, including suppliers, distributors, vendors, and customers. For example, a manufacturing company may connect with another manufacturing company via the cloud to plan development of products that integrate with each other, a technology company may connect with a services organization via the cloud to organize go-to-market activities related a product launch, or a media company may connect to an HR provider via the cloud to track employee benefits.
These connections are helping companies reduce inventories with just-in-time manufacturing, bring innovative products to market faster, and deliver better customer service. The high tech and manufacturing verticals are the most prolific when it comes to connecting with partners via the cloud, followed by healthcare, media and entertainment, and financial services. Across industries, companies connect to hundreds of business partners via cloud services.
The most connected industries
Companies of all industries connect with business partners from all industries, but there are clear patterns in inter-industry connections via the cloud. For high tech companies, the most common business partners are in the 1) high tech, 2) business services, 3) manufacturing, 4) retail, and 5) financial services industries. For manufacturing companies, the most common business partners are in 1) high tech, 2) business services, 3) manufacturing, 4) real estate and construction, and 5) healthcare. All partner connections are summarized in the chart below.
Given the scale of these partner connections, how much risk do companies experience? One way to think about risk exposure is to look at the volume of data shared with partners. Media and entertainment partners, which include advertising agencies, receive 33.7% of data – more than any other partner type. Next, manufacturing partners receive 20.9% of data, followed by high tech (16.6%) and retail (11.3%). When data is shared with a business partner, your information security concerns extend to their security practices and posture.
Breaking down the risk of partner connections
We assessed the risk of thousands of partners using attributes like compromised accounts for sale online, the number of machines infected with malware, and the presence of unpatched vulnerabilities such as Heartbleed and POODLE. We found 8% of companies present a high cyber security risk to their partners due to the potential for compromise, while 37% are low-risk from a cyber security standpoint. However, a disproportionate 29% of data shared with partners is uploaded to high-risk partners, exposing many companies to risk of data loss and breaches.
There are significant differences in risk between industries that can inform your own efforts in reining in partner cyber risk. The industry with the largest percentage of high-risk businesses is telecommunications, with 30.4% companies rated as high-risk. Next, 28% of agriculture and mining companies are high-risk, followed by 21% of construction and real estate companies, which includes HVAC vendors (like the one exploited in the Target breach to compromise Target’s data and systems).
The highest-risk partners
Let’s take a look at some examples of high-risk partners. All of them have systems still vulnerable to the POODLE vulnerability in SSL, six months after it was discovered:
- An advertising agency with 1,565 compromised identifies available for sale across 29 Darknet sites
- A company that provides technology for the financial services industry that has 1,216 compromised identities across 19 Darknet sites
- An airlines with 209 machines infected with malware, and 9,716 compromised identities across 19 Darknet sites
- A heating and cooling company (different from the one in the Target breach) with 444 compromised identities across 15 sites
Companies that connect with partners like the ones above are at an increased risk of data breaches and loss of sensitive data. To protect your company, you can start by auditing the business partners you exchange data with via the cloud and the sensitivity of the data you share. In order to make these trusted digital connections, some organizations require that a security audit of the business partner be performed, similar to the due diligence performed during the evaluation of a new software solution.
For a look at more data related to partner connections in the cloud as well as other trends in cloud adoption, download our latest cloud adoption and risk report.