Dive Brief:
- Companies that supply financial organizations fare worse on cybersecurity than the organizations they’re supplying, according to a report BitSight published on Thursday.
- The security gap between financial-services firms and their vendors highlights a major third-party risk facing the financial sector, which generally outperforms other sectors on cybersecurity but is still exposed to the failures of its suppliers.
- Financial-services firms should perform “rigorous diligence and monitoring” of their suppliers to prevent supply chain attacks, BitSight said.
Dive Insight:
To assess the gap between financial-services organizations and their vendors, BitSight tested a range of companies from each group on 22 risk vectors, including spam blocking, open ports, mobile application security, endpoint security and patching cadence. On 16 of the risk vectors, suppliers fared worse than their customers, with gaps as big as 15%. Web application security, TLS and HTTP headers were among the areas where suppliers performed the worst compared with their customers.
Suppliers performed better than their customers on six risk vectors, including their use of the DMARC and DKIM email security protocols and the DNSSEC protocol for protecting domain-lookup data. BitSight, a cyber risk analysis firm, said that finding “aligns with expectations for larger, more technology-focused organizations.”
It isn’t surprising that suppliers have more digital risks than their customers, given that they also have more digital assets, BitSight said. These vendors are also “absorbing the cyber risks associated with the problems” that they’re solving for their customers, the report said.
Regardless, BitSight said in its report, “given the regulatory requirements and risk of exposure, it may be troubling for financial sector organizations to learn that their suppliers tend to underperform when it comes to security.”
The financial sector is doing better at monitoring the security of its suppliers than other sectors are, according to the report. The average financial firm monitors 36% of its supply chain, compared with a figure of 25% for organizations across all sectors.
“Given the growing number of supply chain incidents involving technology providers, perhaps financial sector organizations should be monitoring more of their providers,” BitSight said. “On the other hand, it is possible that financial sector organizations have undertaken a criticality determination and concluded that the vast majority of technology vendors within their supply chain do not need to be continuously monitored.”
Financial sector suppliers whose customers don’t monitor their security have roughly three times more critical vulnerabilities in their environments compared with suppliers that are monitored, according to BitSight.
One of the most curious statistics in the report involves the performance of suppliers that multiple customers are monitoring. BitSight found “a slight decrease in the security performance of [suppliers] who are monitored by more organizations,” which it said could be because those suppliers are the biggest vendors (and thus have the biggest attack surfaces).
“We believe this is a trend worth more analysis, and we will be doing additional research into this area,” BitSight said, “including the impact that direct engagement with organizations has on security posture.”