Third parties, contractors, and vendors play a dangerous role when it comes to data breaches. These types of breaches can cost your organization millions of dollars and will only continue to become larger and more frequent. In fact, research shows that nearly half of all data breaches involve a third party or vendor. Many organizations are implementing different solutions trying to protect against third-party cyber-risk, but most fall short, aren't efficient, and end up giving third parties too much access. In order to protect your data against the risks that come with third-party access, you should invest in a vendor access management solution.
Hackers often infiltrate companies through third-party access because this can be the weakest link in the network. What makes this even more attractive is that vendors often have access to multiple customer networks so hackers can get a lot of data for the effort of a single hack. Organizations need to be vigilant with the access they give to third parties and watch out for the most common paths hackers take to gain access.
VPNs — Nothing but Access
Virtual private networks (VPNs) are used by nearly every organization, especially as we see an increase in the need for remote access. VPNs are great when providing a connection to internal yet remote employees accessing internal resources, but this is where the functionality of VPNs stops. VPNs provide nothing beyond encrypting data between two points of access.
Organizations need to ensure that all external third parties have secure access to only the networks, systems, and information they need. With a vendor access management solution, users are given access only to resources they need to get their job done while being compliant with necessary regulations and industry requirements. Vendor-specific solutions allow for secure access to only what matters, rather than full access to your entire network.
Phishing Attacks From the Outside
Phishing has become extremely sophisticated and research shows that, on average, 90% of data breaches stem from a phishing attack. Organizations may conduct internal phishing tests to help educate employees on how to outsmart a phishing attack, but this doesn't account for the people you don't directly hire. Your third parties could be untrained and susceptible to a phishing attack that could inadvertently compromise your network, especially if it's through a VPN or another tool that wasn't specifically made for vendor connections. In order to protect against phishing attacks, it's important that all parties involved are educated with regular phishing simulation tests and security awareness training to ensure nothing is compromised.
The Dangers of Ransomware
Ransomware is another common danger that insecure third-party access can bring. The cost of ransomware attacks surpassed $7.5 billion in 2019 with downtime costs increasing 200% year-over-year. Ransomware attacks have caused severe downtime across many industries that provide critical infrastructure.
Beyond being expensive, ransomware attacks can be a danger to public safety, and organizations need to be prepared so that their information security systems are able to handle these attacks. Organizations should implement a well-rounded cybersecurity strategy that can keep track of third-party activity and reveal signs of a breach before they happen.
Privileged Credentials Are a Threat
Credentials are not, and should not be, created equally. Privileged or administrative credentials have access to vastly greater resources than regular users and can unlock further privileges for other employees when necessary. External third parties should almost never be given this level of access. Even though a third-party vendor rep may not have bad intentions, a bad actor can co-opt their machine via phishing or other attack and take advantage of their credentials to gain access into your network and systems. Thus, it's critically important for organizations to oversee and regularly audit all third-party activity.
Organizations need a vendor access management solution in order to control the access a vendor needs in a secure way to avoid any compromises. Credentials being written on a sticky note or, worse, sent via plaintext email to your vendor don't cut it anymore and open up your organization to countless security vulnerabilities. Organizations need to invest in a solution specifically for managing vendors in order to have full visibility into vendor access and have centralized software to manage secure access.
Whether it is an outside vendor or contractor, taking the security of any third party with access to your network credentials seriously is of the utmost importance. Organizations need to critically think of their data governance in a holistic manner and take responsibility for the protection of its data wherever it resides. If a company is not diligent in putting in place solid, ongoing third-party and vendor management programs to secure vendor access, and following it up with good oversight and audit, then the sins of the third party may become the sins of the company.
About the Author
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Currently, Tony is the CISO at SecureLink, a vendor privileged access management company based out of Austin, Texas.