Businesses today are increasingly reliant on third parties, such as contractors, contingent workers, and vendors. And while these third parties enable organizations to decrease operational costs and increase productivity and agility, it also means greater numbers of external users need remote access to internal networks and sensitive corporate resources and data.
And herein lies the problem: If not adequately secured, these new external users and accounts can dramatically increase the likelihood of a serious data breach, as well as various regulatory violations.
Unfortunately, many organizations are failing to recognize and protect themselves from the risks posed by the third-parties that require access to their systems and data. In fact, 87% of organizations have faced a disruptive incident involving a third-party in the last three years, according to a recent Deloitte survey. The same survey found that 94.3% of companies are not confident in the tools used to manage third-party risk.
Your Organization’s Security is Only as Strong as Your Partners'
Most organizations use a variety of technologies, such as virtual private networks (VPNs) or virtual desktop infrastructure (VDI) to provide third-party users the access they need to do their jobs. Although these technologies can be a boon to productivity and collaboration, they can also introduce significant risk to your organization, especially when administrative rights are carelessly granted to third-party workers or when the third parties’ endpoints do not adhere to your security policies and standards.
When you provide access to a partner, you lower your security level to whatever their standards are, and your access points and credential policies are now only as strong as theirs.
For example, a point-of-sale (POS) vendor may have the privileges required to remotely push patches and updates to your POS systems, but the vendor may not have the same security policies and controls that you do. So, no matter how high your security previously was, your customers’ payment information is only as secure as your vendor is.
Many Vendors Prioritize Ease of Access, Not Security
Third-party vendors deal with hundreds or even thousands of client access points and policies. For convenience, vendors may use only one remote access tool per network and share generic credentials among employees. In some cases, this kind of access is even spread to fourth-party users—your vendor’s vendors.
If unsecured, this access creep can snowball quickly. In the end, you may have little visibility into the scope of information that is being shared by your partners, or with whom it is being shared, let alone the security practices and protocols of the third and fourth parties that have access to the information.
Hackers Know Third-Parties Are Often the Weak Link
Of course, if there’s a weak link in your security, you can count on hackers to find it. Intruders are well-aware of the problems with third-party access and look to exploit these weaknesses at any opportunity.
For attackers targeting organizations with strong security, it’s become standard operating procedure to identify a target’s vendors and then use spear-phishing techniques to get those vendors’ credentials for accessing the target company’s network.
Once inside the network, intruders look for ways to escalate their privileges, gain additional access points, and move laterally across systems. In this manner, your unsecured partners’ access can become a direct path for hackers to circumvent your security and install sophisticated malware on your network.
Most third-party contracts include a requirement for security controls that are designed to mitigate risk, but these are typically written controls with little or no way of actually enforcing compliance.
Mitigating These Risks
The risks associated with third-party access are ever-increasing, and the problem isn’t going away anytime soon. Organizations are only getting more integrated with their vendors and supply chains, thus opening more infrastructure and resources to potential threats. It’s clear, to properly assess, monitor, and manage third-party risk, the right tools are absolutely essential.
Our new ebook, How to Minimize the Identity and Access Risks Associated with Third-Party Relationships, takes an in-depth look at the solutions and the proactive steps organizations should take to reduce the likelihood of a third-party breach and mitigate any damage intruders can do once inside the network.
Download the ebook now to learn nine steps to mitigate third-party risks with modern Identity and Access Management (IAM) and Multi-Factor Authentication!