A third (33%) of companies in the digital supply chain expose unsafe network services to the internet, putting sensitive data at risk, according to a new report published today by RiskRecon and the Cyentia Institute.
Following an assessment of millions of internet-facing systems across approximately 40,000 commercial and public institutions, it was found that datastores, such as S3 buckets and MySQL databases, are most commonly exposed to the internet. This was followed by remote access services, which is especially concerning given the shift to home working that has taken place during the COVID-19 pandemic.
Education was the sector most likely to expose unsafe network services to the internet, with 51.9% of universities running unsafe services on non-student systems.
The study also revealed there was significant geographic variation, with the Ukraine, Indonesia, Bulgaria, Mexico and Poland having the highest rate of domestically-hosted systems running unsafe services.
Additionally, there was a correlation between exposed unsafe services to the internet and wider critical security issues in the digital supply chain. For instance, failure to patch software and implement web encryption were noted as two of the most prevalent security findings associated with unsafe services.
The study authors added that the impact is exacerbated when vendors and business partners run unsafe, exposed services used by their digital supply chain customers.
Kelly White, CEO of co-founder at RiskRecon commented: “Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wake-up call to executives’ third-party risk management teams.
“We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”