A third-party vendor refers to an outside organization that has an agreement with your company to provide a product or service. Often, the delivery of the product or service necessitates that the third-party have access to your system(s). Today, it’s pretty much impossible to find a company that doesn’t utilize third-party vendors. But are you able to account for every third-party user who’s currently connected to your corporate network?
Most organizations can account for most, if not all, internal traffic, They may provide VPN access with multi-factor authentication to their vendors for “secured” access. This might make you feel reasonably comfortable you have a secure network, but can you be sure there are no holes in your defense?
BeyondTrust research found that the average organization has 182 vendors that connect to its systems each week, and 58% of organizations believe they have incurred a vendor-related breach. You are likely pretty familiar with data breach horror stories like Target’s astounding leak of 40 million customer credit and debit card accounts or Home Depot’s stolen 56 million payment card accounts. These particular breaches—resulting from poorly secured third-party access—caused substantial brand and financial damage to both companies. This leads me to ask the question, do you trust your vendors too much when it comes to cybersecurity?
Many organizations appear to place too much trust in the vendors with whom they work. But there is a growing realization that, when granting a vendor access to a network, this decision needs to be based on more than just blind faith. Instead, organizations need to ensure they are putting robust controls and checks in place to mitigate the security risk of vendors. You must understand not only what technology and tools vendors are using to access your network, but you need to monitor and know when they are accessing your systems and all session activities they are performing.
Clearly, vendors and third-party suppliers are vital to your organization, but you absolutely must layer in fine-grained control over their access to your systems. Let’s look at some of the threats associated with vendor access. We can break down the risk into two areas, as follows:
1. Risk from Outside
Contractors, HVAC companies (the Target breach infamously started via an HVAC vendor), building maintenance, managed service providers , and more— the list of third parties that may have access to your network at any given time is long. Many of these vendors/workers connect to your systems remotely to perform their daily duties to support your organization. The problem is that many of the systems they interact with are also connected to your corporate network. Numerous, high-profile breaches (like the ones I named above) have demonstrated that vendor networks can be leveraged to gain access to your environment.
2. Typical Attack Vectors
Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and poorly managed privileges to move throughout your organization. You are only as secure as your weakest link – the security of your environment may rest on the security practices and controls of a third party.
These two threats can easily be thought of as good guys against the bad guys; in fact, I often hear people referring to this as “keeping the good guys good and the bad guys out.”
The Challenge of Vendor Access Security
The big issue with adhering to policy and maintaining security across two companies is that often, the credentials used by the remote vendor are not under your direct control. Two different networks with two different user directories, and, perhaps, two different security policies, makes your job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still may have zero visibility into what activity is being performed on equipment that is connected to your network.
With that said, here is a list of Do’s and Don’ts for working with your vendors.
- Do understand the value of your data to your organization before allowing any third-party to access it
- Do create security expectations for your vendors, describing/defining how they should secure your data
- Do establish an incident response plan
- Do only share the minimum information with your vendor required for them to meet your objectives
- Do perform continuous security monitoring of your third-party vendors and contractors
- Don’t create a generic expectation for security
- Don’t allow third parties to access your data without doing proper assessments
- Don’t let everyone in the third-party organization—or your organization—have access to your data
- Don’t allow third-party users to access your data using unapproved devices
- Don’t provide vendors with more information about proprietary products or information than they need.
Additionally, here are three steps I recommend for you to implement if you want to have effective third-party risk management:
- Establish ownership and buy-in – Ensure your vendors and third-party partners have a stake in securing your organization
- Evaluate risks – Keep your eyes on the potential risk your partners pose to your organization
- Continuously audit and monitory third-party activity.
The Importance of Cloud Computing to Your Cybersecurity Strategy
Using the cloud can be a good strategy for keeping your data secure, and not just when dealing with third-party partners. Cloud computing security has matured, and service providers have developed sophisticated (and more importantly, effective) techniques for detection and mitigation processes that most businesses simply cannot afford to implement on their own.
I used to think that keeping my resources on-premise and under control guaranteed a strong security posture. However, I have learned that on-premise doesn’t necessarily mean more secure. All it takes is one phishing email or the failure to update an important piece of software for your data to be breached. All I need to do is name some of the latest corporate security breaches—and you’ll start to understand that on-premise solutions aren’t always able to defend against cybersecurity threats.
When using a cloud model, your data will be housed in secure data warehouses with restricted access to keep your data safe physically, and you will also have software and hardware controls in place to monitor your network 24/7/365. Cloud providers use advanced monitoring solutions to keep an eye on your data and defend against threats. Cloud computing models monitor and learn from the behavior of those who interact with your organization, including your third-party partners.
Also, your on-premise server room can’t always keep up with the changing threats. With the cloud, vulnerabilities are detected and patched immediately, which is crucial to mitigating security risks. Remediation is almost instantaneous.
It is a “necessary evil” to allow third-party access, and that is quite the proper phrase for it. We have very little choice but to grant access to our partners. However, we cannot just give them carte blanche access. We must approach vendor security with a modern, secure process. We must employ methods that can give us the peace of mind we need to grant the access that is required, without giving our vendors the keys to the kingdom.
For a deeper dive on the best strategies/technologies for ensuring secure remote access, check out my on-demand webinar here.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.