Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

What’s the “Right” Amount of Vendor Access?

November 5, 2019

  • Blog
  • Archive

A third-party vendor refers to an outside organization that has an agreement with your company to provide a product or service. Often, the delivery of the product or service necessitates that the third-party have access to your system(s). Today, it’s pretty much impossible to find a company that doesn’t utilize third-party vendors. But are you able to account for every third-party user who’s currently connected to your corporate network?

Most organizations can account for most, if not all, internal traffic, They may provide VPN access with multi-factor authentication to their vendors for “secured” access. This might make you feel reasonably comfortable you have a secure network, but can you be sure there are no holes in your defense?

BeyondTrust research found that the average organization has 182 vendors that connect to its systems each week, and 58% of organizations believe they have incurred a vendor-related breach. You are likely pretty familiar with data breach horror stories like Target’s astounding leak of 40 million customer credit and debit card accounts or Home Depot’s stolen 56 million payment card accounts. These particular breaches—resulting from poorly secured third-party access—caused substantial brand and financial damage to both companies. This leads me to ask the question, do you trust your vendors too much when it comes to cybersecurity?

Many organizations appear to place too much trust in the vendors with whom they work. But there is a growing realization that, when granting a vendor access to a network, this decision needs to be based on more than just blind faith. Instead, organizations need to ensure they are putting robust controls and checks in place to mitigate the security risk of vendors. You must understand not only what technology and tools vendors are using to access your network, but you need to monitor and know when they are accessing your systems and all session activities they are performing.

Clearly, vendors and third-party suppliers are vital to your organization, but you absolutely must layer in fine-grained control over their access to your systems. Let’s look at some of the threats associated with vendor access. We can break down the risk into two areas, as follows:

1. Risk from Outside

Contractors, HVAC companies (the Target breach infamously started via an HVAC vendor), building maintenance, managed service providers , and more— the list of third parties that may have access to your network at any given time is long. Many of these vendors/workers connect to your systems remotely to perform their daily duties to support your organization. The problem is that many of the systems they interact with are also connected to your corporate network. Numerous, high-profile breaches (like the ones I named above) have demonstrated that vendor networks can be leveraged to gain access to your environment.

2. Typical Attack Vectors

Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and poorly managed privileges to move throughout your organization. You are only as secure as your weakest link – the security of your environment may rest on the security practices and controls of a third party.

These two threats can easily be thought of as good guys against the bad guys; in fact, I often hear people referring to this as “keeping the good guys good and the bad guys out.”

The Challenge of Vendor Access Security

The big issue with adhering to policy and maintaining security across two companies is that often, the credentials used by the remote vendor are not under your direct control. Two different networks with two different user directories, and, perhaps, two different security policies, makes your job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still may have zero visibility into what activity is being performed on equipment that is connected to your network.

With that said, here is a list of Do’s and Don’ts for working with your vendors.

Do’s

  • Do understand the value of your data to your organization before allowing any third-party to access it
  • Do create security expectations for your vendors, describing/defining how they should secure your data
  • Do establish an incident response plan
  • Do only share the minimum information with your vendor required for them to meet your objectives
  • Do perform continuous security monitoring of your third-party vendors and contractors

Don’ts

  • Don’t create a generic expectation for security
  • Don’t allow third parties to access your data without doing proper assessments
  • Don’t let everyone in the third-party organization—or your organization—have access to your data
  • Don’t allow third-party users to access your data using unapproved devices
  • Don’t provide vendors with more information about proprietary products or information than they need.

Additionally, here are three steps I recommend for you to implement if you want to have effective third-party risk management:

  • Establish ownership and buy-in – Ensure your vendors and third-party partners have a stake in securing your organization
  • Evaluate risks – Keep your eyes on the potential risk your partners pose to your organization
  • Continuously audit and monitory third-party activity.

The Importance of Cloud Computing to Your Cybersecurity Strategy

Using the cloud can be a good strategy for keeping your data secure, and not just when dealing with third-party partners. Cloud computing security has matured, and service providers have developed sophisticated (and more importantly, effective) techniques for detection and mitigation processes that most businesses simply cannot afford to implement on their own.

I used to think that keeping my resources on-premise and under control guaranteed a strong security posture. However, I have learned that on-premise doesn’t necessarily mean more secure. All it takes is one phishing email or the failure to update an important piece of software for your data to be breached. All I need to do is name some of the latest corporate security breaches—and you’ll start to understand that on-premise solutions aren’t always able to defend against cybersecurity threats.

When using a cloud model, your data will be housed in secure data warehouses with restricted access to keep your data safe physically, and you will also have software and hardware controls in place to monitor your network 24/7/365. Cloud providers use advanced monitoring solutions to keep an eye on your data and defend against threats. Cloud computing models monitor and learn from the behavior of those who interact with your organization, including your third-party partners.

Also, your on-premise server room can’t always keep up with the changing threats. With the cloud, vulnerabilities are detected and patched immediately, which is crucial to mitigating security risks. Remediation is almost instantaneous.

It is a “necessary evil” to allow third-party access, and that is quite the proper phrase for it. We have very little choice but to grant access to our partners. However, we cannot just give them carte blanche access. We must approach vendor security with a modern, secure process. We must employ methods that can give us the peace of mind we need to grant the access that is required, without giving our vendors the keys to the kingdom.

For a deeper dive on the best strategies/technologies for ensuring secure remote access, check out my on-demand webinar here.

Photograph of Derek A. Smith

Derek A. Smith, Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Azure PIM vs. BeyondTrust PAM

Whitepapers

The Remote Access Challenge

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.