In this blog, I will discuss a topic that plagues EVERY company, and that is how to secure remote access for our employees and our vendors.
Roughly a decade ago, only a rare few used secure remote access. These were the road warriors, executives, and salespeople who traveled frequently and needed to work while on the road. Today, with high-speed Internet connectivity and the pervasive use of mobile devices, many employees and vendors routinely rely on remote access to get their jobs done. It is essential for these individuals to have safe, anytime, anywhere access to corporate networks and services.
All this connectivity that extends outside an organization’s perimeter has significantly increased cyber risk. However, enterprises can take proactive steps to help drastically reduce the likelihood of a third-party breach and mitigate any damage intruders can do should they access your network.
To help you with that challenge, I have researched various remote access security recommendations, strategies, and best practices and have distilled them into ten tips that can help you enable more cost-effective, but safe, remote access for your organization.
How Secure is my Employee and Third-Party Remote Access?
I won’t waste your time explaining remote access. You all know what it is and deal with it daily, whether it be for remote workers, or vendor access. I will, however, offer a few quick statistics that will cause you to ask the questions, “How Secure is MY remote access, for employees AND third-party partners?” Throughout this blog, I will refer to either employee access OR third-party vendor access. Know that I am referring to both.
62% of employees routinely conduct at least some business remotely. Many more "day-extenders" like myself log back in at night and on weekends. The Telework Enhancement Act requires federal agencies to have policies to govern and promote teleworking.
Between teleworkers and vendors, we are challenged to enable secure access for increasingly large and diverse workforces, while simultaneously dealing with smaller budgets and tightening compliance mandates. As recently published threat research from BeyondTrust revealed, 58% of organizations believe they have suffered a breach due to vendor access, which is perhaps unsurprising given that, on average, enterprises have 182 different vendors that access their systems each week.
The Inherent Security Risks of Vendor Remote Access
Many potential risks accompany vendor remote access—from introducing malware into your systems to technical and business dangers.
Businesses have become increasingly reliant on third parties, such as contractors, contingent workers, and vendors (such as IT Services Providers) who enable these businesses to decrease operational costs and increase productivity and agility. But these rising numbers of external users and the associated log ins, if not adequately secured, dramatically increase the likelihood of a serious data breach, as well as various regulatory violations. To put this in perspective, a recent study found that, on average, 182 vendors log into the systems of the typical enterprise each week.
Recognize that granting system access to an outsider lowers your security level to that of the external provider. If they lack strong security controls, they become your weakest link. If a hacker compromises their system, that partner can become a backdoor into your environment.
Also consider the business and reputation risks of misplacing your trust in a vendor. If your vendor’s system is used to gain malicious access to your system, your company's name will also be in the headlines. This lousy press may drive away customers and prospects.
Additionally, allowing external access circumvents technical controls, such as firewalls.
10 Best Practices for Securing Vendor Remote Access
Okay—that is more than enough about risk, and policy. Let’s now review my list of top-10 tips for securely enabling vendor and remote worker access.
TIP #1. Understand Your Threat Exposure
The first step in any security journey is discovering your weaknesses and vulnerabilities, in other words, your cyber threat exposure. You should have the mindset that your organization is a target that malicious actors are already attempting to attack through your third-party vendors. So, assume hostile threats will occur!
TIP #2. Have a Policy in place
Make sure you have a carefully drafted Remote Access policy in place with employees and vendors. Not having a comprehensive policy invites disputes over what data/information is what and may undermine the protection of your intellectual property.
TIP #3. Enforce those policies by using Remote Access Servers
The National Institute of Standards and Technology (NIST) advises that compromised servers could be wielded to eavesdrop on and manipulate remote access communications. They can also provide a starting point for attacking other hosts within your organization.
Because of this, NIST recommends; in most cases, that a server should be placed at an enterprise's network perimeter so it serves as a single point of entry to the network and enforces the remote work security policy before any remote access traffic is permitted into the enterprise's internal networks.
TIP #4: Audit Your 3rd Party Vendors
The biggest third-party hacks in recent years have been the result of organizations giving their business partners access to sensitive information and systems, access to the network, responsibility for managing systems, and responsibility to host data and applications. Even your most trusted business partners can pose a security threat to your organization if they themselves have inadequate security.
Third-party vendors should only need access to specific parts of your network. Your third-party vendor assessment should focus on access. Implement a least privilege policy covering who can access your data and network, and, specifically, what they can access. Perform regular reviews of how your third parties use their credentials and who is using them to better manage your risk exposure.
When you engage the services of a third-party vendor, no matter how much you trust them or how long you’ve worked with them, it is essential to continuously assess the vendor’s security standards and best practices to determine if they meet those of your organization.
TIP #5: Require Multifactor Authentication
According to Verizon’s Data Breach Investigation Report, “76 percent of network intrusions exploited weak or stolen credentials.” Since vendors don’t need constant access to your network, they often use one remote access tool license and share generic logins and passwords across technicians. This makes the credentials easy for hackers to guess. What’s more, the vendor’s ex-employees often retain remote access to your systems.
For optimum protection and a clean audit trail, require everyone who accesses your network to use unique credentials and at least two-factor authentication. This will make it harder for a hacker to successfully use stolen vendor credentials.
Modern multi-factor authentication (MFA) solutions enable you to require third-party users to log in with a wide range of additional authentication factors, such as RFID cards, fingerprint biometrics, or smart cards.
TIP #6: Reduce Your Attack Surface
The more user entry points you have, the harder they are to manage, and the more exposed you are to an attack. By reducing network entry points to the least amount that are necessary, you increase your ability to monitor and block unwanted activity on your network.
TIP #7: Apply the Principle of Least Privilege to Vendor Access and Entitlements
The principle of least privilege is the golden rule here. Provide third parties with only what they absolutely need to do their jobs at any time.
TIP #8: Centralize and Control the Identity Access Lifecycle of 3rd Party Partners
Establish and manage distinct identity access lifecycles for different third parties, whether they are vendors, contractors, or IT staffers. Disable or re-evaluate access at the end of this lifecycle.
TIP #9: Purge Anonymous Accounts and Shared Passwords
Address anonymous accounts and shared passwords with automated account creation, provisioning, and management for all users, including third- and even fourth-party users. You need to ensure a one-to-one relationship between users and accounts. You can address this via enterprise password management solutions.
Add layered authentication through MFA to reduce account sharing among third parties. Some of the most significant data breaches of the last decade, like Target and Home Depot, could have been stopped with this simple step.
TIP #10: Capture All Activity and Regularly Monitor Audit Logs
To ensure continued security and compliance, you should use a modern privileged access management (PAM) solution with strong privileged access management capabilities to track, audit, record, and centrally monitor all access requests, approvals, revocations, and certifications—for both internal and external privileged users.
An effective PAM solution helps defend against such remote access threats. Privilege management allows you to grant and remove administrative privileges to individuals for any system. At the very least, the PAM solution can monitor back-end access logins and alert administrators about privileged sessions that do not comply with access policies (e.g., why is the HVAC vendor logging into the Point of Sale (POS) system?).
Final thoughts on securing vendor access & your remote workforce
Your internal network environment is complicated enough. The last thing you need is someone else’s inbound connection leading to the compromise of your network. Given how many businesses are now interconnected, security is only going to get more complicated. You need to address your weakest link—and frequently this is your third-party network connections. Commit to making vendor risk management a top priority. Make vendor information security assessments and audits and ongoing exercise, and apply enterprise-class remote access technologies to ensure all access is secure—even when it extends beyond your perimeter.
For more on this subject, check out my on-demand webinar, where I cover in more depth:
- How to identify remote access risks across your organization
- How to communicate and address this risk across your employees, partners, and vendors
- Creating and enforcing remote access / remote working cybersecurity policies
- How to improve security and operational performance by consolidating remote access tools across the enterprise
- Tips for securing vendor and remote employee access
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.